[Standards] LAST CALL: XEP-0368 (SRV records for XMPP over TLS)

Ruslan N. Marchenko me at ruff.mobi
Mon Feb 13 21:43:05 UTC 2017



On 13.02.2017 21:57, Travis Burtrum wrote:
> On 02/13/2017 02:26 PM, Ruslan N. Marchenko wrote:
>> So security here will be just in the sense "all or nothing" -
>> either you pass through (non-paranoid) or not (paranoid).
> That's not true though, there are firewalls in practice today that only
> allow HTTP on port 80, and only TLS on port 443, but do not MITM TLS.
Yes, and that's what written as XEP's use-case - how to abuse corporate 
firewall by masking im/p2p software to legitimate business traffic (https).
This is not fair, and if I were CSO who found out such "use-case" in the 
network I'd just ordered to block pass-through TLS pushing people to use 
either explicit or implicit (transparent) proxy.

With all due respect and honesty I thought times when there was separate 
port for encrypted/non-encrypted traffic are passed by replaced by 
start-tls concept.
<required/> starttls feature is quite transparent and flexible, if 
someone strips it - server just refuses progressing the handshake.
I don't understand what do we need to hide here by summoning port 5223 
from the oblivion.
>
> If TLS is MITM'd with a custom CA installed on your device then TLS
> doesn't protect you from the MITM of course, and this won't address that.
> _______________________________________________
> Standards mailing list
> Info: https://mail.jabber.org/mailman/listinfo/standards
> Unsubscribe: Standards-unsubscribe at xmpp.org
> _______________________________________________
>



More information about the Standards mailing list