winfried at tilanus.com
Fri Apr 3 04:01:25 CDT 2009
On 04/03/2009 Dirk Meyer wrote:
and more optimised.
> On the other hand I'm not sure you can get end-to-end security if you
> download the code on-the-fly from the server.
We had some discussion about this on the BOSH list recently. My short
summary of that discussion is:
Cross domain scripting techniques are more and more used and, scripting
relies more and more on third party libraries, so there is growing a
world that keeps the middle between loading code on-the-fly from the
server and running your client-side program (and when browsers get a
function to checksum the scripts they are running, there might even be
more possible here). And although it is not e2e security, a server-admin
running web-based services might be interested in a system with forward
security, just to keep chats safe from stolen equipment, hackers and
authorities (at least I am).
> language with problems, a J2ME client will also not work. The question
> is: do we care? If we do, we need something much simpler and self-made
> (I hate to say it, but ESessions comes to my mind). Or we ignore it and
> assume that future browsers may have an XMPP stack inside or at least
> have TLS/SRP support.
certainly do care. But my first reaction is 'ignore'. We want to create
a protocol that is widely adopted. I think (but am no expert on this)
that the chance of getting something like XTLS adopted is greater then
getting ESessions adopted. Browsers and mobile devices slowly need more
and more security features, while their processing power steadily
increases. So I assume that the problems with them doing encryption /
TLS will solve themselves.
xmpp:winfried at jabber.xs4all.nl
tel. 015-3613996 / 06-23303960
More information about the Security