[standards-jig] SSL/TLS mandatory

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Sun Jan 25 22:07:59 UTC 2004


On Sunday 25 January 2004 12:11 pm, Jesper Krogh wrote:
> I gmane.network.jabber.standards-jig, skrev Chris Mullins:
> >  While plain-text passwords are certainly worrisome, at least the option
> >  is there to send them over a SSL/TLS stream. In fact many servers
> >  REQUIRE the connection to be over a SSL/TLS stream, making the
> >  plain-text a little bit less significant that it would otherwise be.
>
> I really think that we should require SSL/TLS real soon now, I hardly
> can find any reason for anyone to use it. Have I missed anything?
>
> Unlike http where you have anonymous browsing, you username/password is
> sent every time you connect to your server in Jabber, which actually
> makes all communication sensible.
>
> For statistics on my server:
> http://status.jabbernet.dk/c2s.html
> We can actually se that we are down to about 15% that uses SSL/TLS.
>
> Is it better at other servers?

This wil get better in the future, now that XMPP has 'starttls', which means 
it can be auto-detected.  Clients can simply warn the user if TLS is not 
available.  Servers can even be configured to require TLS (this would be 
analogous to only running the old protocol on 5223).

However, it's worth noting that XMPP also supports SASL encryption.  This is 
optimal for login-based protocols (such as Jabber), because the password is 
used as a shared secret instead of a certificate.  Many of the free public 
servers will love this.

Conclusion:  TLS should not be required in all cases, as SASL is a good 
alternative.  Clients should simply be smart about what they support, putting 
security first.

-Justin



More information about the Standards mailing list