[JDEV] stunnell
Colin Madere
colin at vedalabs.com
Wed Dec 20 15:39:40 CST 2000
A note about encrypting XML messages:
If you just want to prevent joe-user from reading messages on his network,
that's fine, but encrypting the XML tags gives a real attacker huge clues
since he will _know_ what large pieces of the encrypted message are and
where they are in the message.
As for the SSL CPU load you will still have the CPU load of decrypting
things the server has to read. There are hardware SSL solutions, also. Not
saying SSL is the way to go, just thought I'd drop the info here.
-----Original Message-----
From: Bernd Eckenfels [mailto:lists at lina.inka.de]
Sent: Wednesday, December 20, 2000 3:32 PM
To: jdev at jabber.org
Subject: Re: [JDEV] stunnell
On Wed, Dec 20, 2000 at 12:44:09AM -0500, Sean Wieland wrote:
> Has anyone tried using stunnel the "universal SSL wrapper" with the
> Jabber server? If so, with what success and what issues were there?
> What does everyone think of just using stunnel to add SSL/TSL
> functionality to Jabber (which seems to be in spirit with Jabber design
> philosophy).
This is do-able. We can also add SSL to jpoold. The problem here is, that
SSL is not the best solution since the jabber framework is a distributed
one. We are much better with Message Encryption and Signing. This add such a
lot benefits:
- you do not need to trust the routing servers
- you can archive the messages and verify the sender all times
- you do not need special spoofing preventions between servers
- we do not need to spend vauable CPU cycles on servers with SSL
Of course it will chnage the way jabber messages look like, since most of
the namespaces besides the routing tags will be inside an encryption
envelop.
Greetings
Bernd
--
(OO) -- Bernd_Eckenfels at Wendelinusstrasse39.76646Bruchsal.de --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes at irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
_______________________________________________
jdev mailing list
jdev at jabber.org
http://mailman.jabber.org/listinfo/jdev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20001220/94a8a6d9/attachment-0002.htm>
More information about the JDev
mailing list