[Standards] Hop Check reconnects

Ian Paterson ian.paterson at clientside.co.uk
Fri Jun 15 09:50:52 UTC 2007

Quoting XEP-0219:
 > As a user, I may want to know three things:
 > 1. If my connection to my server is encrypted.
 > 2. If my server's connection to my contact's server is encrypted.
 > 3. If my contact's connection to their server is encrypted.

I'd add a fourth item:
4. If my server's encrypted connections with my contact's server go down 
and are replaced by unencrypted connections.

This could occur, for example, if a man-in-the-middle disrupts the 
communication channels and then removes the <starttls/> elements from 
the servers' subsequent attempts to reconnect.

At first glance this is harder to implement, but without it AFAICT 
hop-check isn't secure (even if you trust the servers).

Servers could implement this by remembering all the servers they have 
connected securely to and never again accepting insecure connections 
with those servers. That way they would never have to inform their 
clients about the change in circumstances.

Or we could add a requirement to XEP-0219 that all servers supporting 
Hop Check MUST in all cases employ server-2-server connections only if 
they are encrypted.

In fact perhaps that requirement could be included in RFC 3920bis?

- Ian

More information about the Standards mailing list