[Security] End-to-end encryption with JavaScript client

Peter Saint-Andre stpeter at stpeter.im
Sat Aug 30 16:11:18 CDT 2008


Dirk Meyer wrote:
> "Jack Moffitt" wrote:
>>> Second, can you start direct XMPP connections from Javascript at all?
>>> Ok, you could use some in-band connections and even employ some of the
>>> crypto stuff but... first applies. Lots of work for no real reason.
>> BOSH exists and supports TLS.  It's also widely implemented.
> 
> And with Jingle to start e2e you can use IBB. XMPP over IBB over XMPP
> over BOSH. But I have no idea if you could use the normal starttls
> over that stream. How does BOSH handle this? Use TLS on the HTTP layer
> or use starttls?

The BOSH spec recommends using channel encryption between client and 
server at the HTTP (transport_ layer, not the XMPP-over-HTTP (BOSH) 
layer. However for e2e encryption you could do STARTTLS for the e2e 
stream and the BOSH layer wouldn't care about that because it all 
happens in (say) IBB payloads.

/psa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6751 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080830/e53d089e/attachment.bin 


More information about the Security mailing list