[Standards] TLS in XEP-0206

Olle E. Johansson oej at edvina.net
Fri Mar 21 08:31:04 UTC 2014

On 21 Mar 2014, at 09:03, Winfried Tilanus <winfried at tilanus.com> wrote:

> On 19-03-14 17:27, Olle E. Johansson wrote:
> Hi Olle,
>> Sorry for repeating myself... But a big problem with this that we
>> need to work together to solve is the ability to validate TLS in
>> javascript environments. THere has been a lot of work to standardise
>> how we set up a TLS connection to a server and validate the cert with
>> the address we want to reach.
>> In the browser environment our application is in the dark. We just
>> have to trust the browser. Will an application using BOSH or
>> Websockets even know if the connection is protected by TLS?
> I hope I am not repeating an old discussion, but I am wondering how big
> this problem really is. If you are running a BOSH client from within the
> browser, you have to trust the integrity of your browser anyway. And
> even in the case where you use such a client to connect with CORS to a
> foreign server, you can still tell your client to use https. The browser
> must warn when the https connection fails for some reason. The only
> thing that is out of reach, is forcing a certain cipher-set from the
> browser based client. But that can be mitigated server side.
The javascript application may want to know why a connection fails
- if it's icmp error, certificate mismatch, certificate expiry, dane error
or something else. Not just "failed". We might also want to compare contents
of the certificate with something else - not just having an "approved certificate".
My jabber domain example.com may have SRV records pointing to theglob.example.org
and I want to know if the certificate is valid. For SIP over Websockets we
want to compare the SAN in the certificate with the domain of the SIP URI,
which the browser will never handle.

Just relaying on the browser when we write apps is no longer a working 
model for TLS in Javascript when we use web sockets and other
connections. Remember that Javascript is heavily used in
embedded in other environments not "seen" as a browser, like mobile
apps written in Cordova/Phonegap. The browser sandbox model
no longer applies there. For BOSH to work properly for such
an app, we may want something better.

> But please let me know if I am missing something here...
> Winfried

More information about the Standards mailing list