[Standards] TLS in XEP-0206

Winfried Tilanus winfried at tilanus.com
Fri Mar 21 08:03:48 UTC 2014


On 19-03-14 17:27, Olle E. Johansson wrote:

Hi Olle,

> Sorry for repeating myself... But a big problem with this that we
> need to work together to solve is the ability to validate TLS in
> javascript environments. THere has been a lot of work to standardise
> how we set up a TLS connection to a server and validate the cert with
> the address we want to reach.
> 
> In the browser environment our application is in the dark. We just
> have to trust the browser. Will an application using BOSH or
> Websockets even know if the connection is protected by TLS?

I hope I am not repeating an old discussion, but I am wondering how big
this problem really is. If you are running a BOSH client from within the
browser, you have to trust the integrity of your browser anyway. And
even in the case where you use such a client to connect with CORS to a
foreign server, you can still tell your client to use https. The browser
must warn when the https connection fails for some reason. The only
thing that is out of reach, is forcing a certain cipher-set from the
browser based client. But that can be mitigated server side.

But please let me know if I am missing something here...

Winfried



More information about the Standards mailing list