[JDEV] security

David Waite mass at ufl.edu
Fri Apr 14 10:53:34 CDT 2000 

You are going to have troubles implementing client-side encryption in the
current Jabber protocol.

You can currently send a message this way by just including the text in an
extension (such as "<x xmlns="rot13">ewE qwe n ewt wer</x>"). The main
problem that comes to mind immediately is that you have no way of knowing if
the other user (the recipient) supports a particular extension. Currently if
someone supported a hypothetical markup for their text (say, xhtml), the
marked up text would go into an extension, and a plaintext version would go
into the message body.

The main reason that I know of that there isn't this sort of 'client feature
negotiation' is race conditions involved. If you get someone's featureset on
log-in, then send a message later there is a chance they could have logged
out and logged back in with a different client. If you rely on the remote
client to 'deny' the message based on lack of support for extensions, you
still have the same problem as before, you just now also have the remote
client getting a lot of unneeded XML.

Also, both the above methods break easily when someone takes over the
connection - "No, I don't support encrypted text, please send it to me in
plaintext"

I anticipate that eventually client features will be uploaded to the server
by client on a per-resource (not per-JID) basis, and automatically cleared
on connection reset. But this will not happen until post-1.0 ,there are
simply too many things on the plates of the main developers before the first
major release.

-David Waite

> -----Original Message-----
> From: jdev-admin at jabber.org [mailto:jdev-admin at jabber.org]On Behalf Of
> Eric Bowersox
> Sent: Friday, April 14, 2000 11:10 AM
> To: jdev at jabber.org
> Subject: RE: [JDEV] security
>
>
> >            We are developing an Instant Messaging client using Jabber
> > Server . To provide some bare minimum security , we will be encrypting
> > the messages at the client side using some standard algorithm and the
> > message will decrypted using the same key. Does Jabber
> > support this kind
> > of security feature ? or Is there any other alternative to this ?
>
> Jabber supports connections encrypted using SSL, so if you have OpenSSL
> (http://www.openssl.org) you should be all right in the security
> department.
> (Depending on your local political situation of course.)
>
> 					Eric
>
> --
> Eric J. Bowersox - Jabber Inc. - ebowersox at jabber.com
> <mailto:ebowersox at jabber.com>   http://www.jabber.com
> OpenProjects IRC #jabber: erbo  - Advogato: Erbo
> "AIM is to Jabber as Notepad is to emacs" - washort, #jabber
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>

More information about the JDev mailing list