[Security] End-to-end encryption with JavaScript client

Pavel Simerda pavlix at pavlix.net
Sat Aug 30 17:45:43 CDT 2008

On Sat, 30 Aug 2008 10:45:18 -0600
"Jack Moffitt" <jack at chesspark.com> wrote:

> > First, users of Javascript clients don't care about e2e security.
> Ugh. Wrong.  Please don't make such sweeping generalizations.  In a
> few years most XMPP usage will probably be through JavaScript if
> current trends continue.

That will be a bad time for us all.

> > Second, can you start direct XMPP connections from Javascript at
> > all? Ok, you could use some in-band connections and even employ
> > some of the crypto stuff but... first applies. Lots of work for no
> > real reason.
> BOSH exists and supports TLS.  It's also widely implemented.
> > But if you really want it, the trust model won't work with
> > Javascript anyway (you don't have access to local data). But the
> > SAS method discussed earlier would work.
> You easily have access to local data if you use the Dojo framework,
> Google Gears, or a small bit of Flash.  This is not a problem in
> reality.  Users know that for true security they will have to jump
> through extra hoops, and installing Gears is really not that large of
> a hoop.  Also, HTML5 will contain standardized local data storage as I
> recall, so what you are talking about is a current browser limitation,
> easily circumvented with current tools.  This will not be the state of
> the Web in five years.
> Also, what about Flash and Flex, both based on JavaScript?  Each of
> those has easy access to local storage and can even make direct XMPP
> connections without BOSH.

I wasn't talking about Javascript as the language. I was answering to
your talk about browser-based javascript sandbox.

> jack.


Web: http://www.pavlix.net/
Jabber & Mail: pavlix(at)pavlix.net
OpenID: pavlix.net

More information about the Security mailing list