[Security] e2e in javascript en J2ME (Was: Re: XMPP encryption summary from IETF 74)

Winfried Tilanus winfried at tilanus.com
Fri Apr 3 04:01:25 CDT 2009


On 04/03/2009 Dirk Meyer wrote:

Hi,

> Encryption in JavaScript ... *shiver* ... I'm not sure how the
> performance of RSA written in JavaScript would be.

Well the little maths I did in JavaScript recently performed better then
I expected. I have the impression JavaScript engines are getting more
and more optimised.

> On the other hand I'm not sure you can get end-to-end security if you
> download the code on-the-fly from the server.

We had some discussion about this on the BOSH list recently. My short
summary of that discussion is:
Cross domain scripting techniques are more and more used and, scripting
relies more and more on third party libraries, so there is growing a
world that keeps the middle between loading code on-the-fly from the
server and running your client-side program (and when browsers get a
function to checksum the scripts they are running, there might even be
more possible here). And although it is not e2e security, a server-admin
running web-based services might be interested in a system with forward
security, just to keep chats safe from stolen equipment, hackers and
authorities (at least I am).

> JavaScript is not the only
> language with problems, a J2ME client will also not work. The question
> is: do we care? If we do, we need something much simpler and self-made
> (I hate to say it, but ESessions comes to my mind). Or we ignore it and
> assume that future browsers may have an XMPP stack inside or at least
> have TLS/SRP support.

I believe J2ME might even be a bigger problem than JavaScript and I
certainly do care. But my first reaction is 'ignore'. We want to create
a protocol that is widely adopted. I think (but am no expert on this)
that the chance of getting something like XTLS adopted is greater then
getting ESessions adopted. Browsers and mobile devices slowly need more
and more security features, while their processing power steadily
increases. So I assume that the problems with them doing encryption /
TLS will solve themselves.

best wishes,

Winfried

-- 
http://www.tilanus.com
xmpp:winfried at jabber.xs4all.nl
tel. 015-3613996 / 06-23303960
fax. 015-3614406


More information about the Security mailing list