[Security] End-to-end encryption with JavaScript client

Dirk Meyer dmeyer at tzi.de
Sat Aug 30 11:53:46 CDT 2008


"Jack Moffitt" wrote:
>> First, users of Javascript clients don't care about e2e security.
>
> Ugh. Wrong.  Please don't make such sweeping generalizations.  In a
> few years most XMPP usage will probably be through JavaScript if
> current trends continue.

IF you have the script on your PC and not from a server. It makes no
sense to talk about e2e security when you receive your XMPP client
from a server just before you use it. Even better: most Javascript
files are send over HTTP, not HTTPS.

>> Second, can you start direct XMPP connections from Javascript at all?
>> Ok, you could use some in-band connections and even employ some of the
>> crypto stuff but... first applies. Lots of work for no real reason.
>
> BOSH exists and supports TLS.  It's also widely implemented.

And with Jingle to start e2e you can use IBB. XMPP over IBB over XMPP
over BOSH. But I have no idea if you could use the normal starttls
over that stream. How does BOSH handle this? Use TLS on the HTTP layer
or use starttls?


Dirk

-- 
printk("; corrupted filesystem mounted read/write - your computer 
will explode within 20 seconds ... but you wanted it so!\n");
	2.4.3 linux/fs/hpfs/super.c


More information about the Security mailing list