[Security] End-to-end encryption with JavaScript client

Winfried Tilanus winfried at tilanus.com
Tue Sep 2 08:18:09 CDT 2008

Dirk Meyer dmeyer wrote:


> It makes no
> sense to talk about e2e security when you receive your XMPP client
> from a server just before you use it.

Well, I have potential use for it: I am running chat-services for
social-psychological aid. My customers do trust me with software and
servers, they might or might not trust me with the content of the chats.

The work of some of my customers might be subject to laws on medical
secrecy, medical information protection or other (privacy) legislation.
Other customers have strict protocols on storage / not storing and who
should have access to the chats. Apart from this, different legislations
on things like wiretapping and handing over traffic to the police in
different countries might cause problems.

So e2e encryption on the following path: webclient <-> my server <->
(web)client can save me and my customers a lot of headaches: being
unable to know is usually the best for me.

This still leaves the question open whether it is feasible to make a
javascript client do XMPP over TLS over IBB over BOSH over HTTPS? ;-)

best wishes,


xmpp:winfried at jabber.xs4all.nl
tel. 015-3613996 / 06-23303960
fax. 015-3614406

More information about the Security mailing list