[Standards] Any protocol to request encrypted connections?
m at tthias.eu
Mon Feb 5 18:01:52 UTC 2007
Peter Saint-Andre schrieb:
>> In general: I think we should start thinking about better identity
>> verification of the destination of a XMPP link. On s2s connections
>> using dialback we currently have NO verification, that the
>> destination is the server we expect it to be. An attacker, that is
>> able to reroute a
>> connection to his own server (either by modifying the DNS entries of
>> the destination server or by hijacking the connection at the IP
>> layer) will get the stanzas, that are addressed to the attacked entity.
> Does TLS + SASL address your concern?
Depends. A client using TLS without client certificate and using SASL
without a security layer does not address it. While e.g. a client
authenticating using a TLS client cert would be okay.
>> With the currently deployed Jabber network, I think we are doing a
>> better job in verifying that the source of a message cannot be
>> forged, than verifying that the message is delivered to the right
> Well, and even when we verify the identity of the destination server,
> we don't verify that the destination server is properly routing the
> stanza to the intended recipient. But I'd think that encrypted
> sessions would help here.
I don't want to address the usecases of e2e by my question. One of the
use-cases I have in mind is more light-weight. I thought, that you might
e.g. operate a company server, that can be accessed from the public
internet as well. But some of the data you send to your clients should
only be sent out, if the connection to the client is protected. It would
be helpful if the sender of such information/events could just pass an
indication, that this data should only be forwarded if the destination
More information about the Standards