[Security] End-to-end encryption with JavaScript client

Jack Moffitt jack at chesspark.com
Sat Aug 30 11:45:18 CDT 2008


> First, users of Javascript clients don't care about e2e security.

Ugh. Wrong.  Please don't make such sweeping generalizations.  In a
few years most XMPP usage will probably be through JavaScript if
current trends continue.

> Second, can you start direct XMPP connections from Javascript at all?
> Ok, you could use some in-band connections and even employ some of the
> crypto stuff but... first applies. Lots of work for no real reason.

BOSH exists and supports TLS.  It's also widely implemented.

> But if you really want it, the trust model won't work with Javascript
> anyway (you don't have access to local data). But the SAS method
> discussed earlier would work.

You easily have access to local data if you use the Dojo framework,
Google Gears, or a small bit of Flash.  This is not a problem in
reality.  Users know that for true security they will have to jump
through extra hoops, and installing Gears is really not that large of
a hoop.  Also, HTML5 will contain standardized local data storage as I
recall, so what you are talking about is a current browser limitation,
easily circumvented with current tools.  This will not be the state of
the Web in five years.

Also, what about Flash and Flex, both based on JavaScript?  Each of
those has easy access to local storage and can even make direct XMPP
connections without BOSH.

jack.


More information about the Security mailing list