[Standards] Any protocol to request encrypted connections?

Matthias Wimmer m at tthias.eu
Mon Feb 5 01:28:48 UTC 2007


Do we have any XEP, that allows a client to request, that a message is 
only allowed to be forwarded by a server using encrypted connections 
where the destination of the message has been authenticated?

In general: I think we should start thinking about better identity 
verification of the destination of a XMPP link. On s2s connections using 
dialback we currently have NO verification, that the destination is the 
server we expect it to be. An attacker, that is able to reroute a 
connection to his own server (either by modifying the DNS entries of the 
destination server or by hijacking the connection at the IP layer) will 
get the stanzas, that are addressed to the attacked entity.
With the currently deployed Jabber network, I think we are doing a 
better job in verifying that the source of a message cannot be forged, 
than verifying that the message is delivered to the right receipient.



Matthias



More information about the Standards mailing list