[Standards] Checking hostname in XMPP server when using TLS
simon.mcvittie at collabora.co.uk
Wed Nov 3 11:02:02 UTC 2010
On Tue, 02 Nov 2010 at 18:11:18 -0400, zhong ming wu wrote:
> Moreover assuming DNS is safe (big assumption in the past & some will
> say now) should client not do DNS look up and then use server cert to
> verify authenticity of it
DNS can't be assumed to be safe; anything we're told via a SRV lookup is
suspect. The thing we're trying to verify is:
* the user told us to connect as joe at example.com, therefore they wanted to
talk to the example.com server
* we got a connection to a server claiming to serve example.com
* is it really authorized to act on behalf of example.com?
If there's a SRV record telling us we should actually connect to
jabber.services.example.net (or whatever), accepting a certificate for
jabber.services.example.net would be unsafe, because that's not what the
user asked for.
> TLS implementation of HTTP/SMTP/IMAP/POP do not work like XMPP in this regard
HTTPS doesn't do SRV lookups, but when you use a CNAME it behaves just like
XMPP. If I connect to https://www.google.com/ I get this:
smcv at reptile% dig www.google.com
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 348 IN CNAME www.l.google.com.
www.l.google.com. 156 IN A 126.96.36.199
... (and more geolocated addresses for www.l.google.com)
and when I connect to 188.8.131.52 (or whatever), it presents a certificate
for www.google.com (not for www.l.google.com or 184.108.40.206).
More information about the Standards