[JDEV] stunnell
mark at mjwilcox.com
mark at mjwilcox.com
Wed Dec 20 17:08:04 CST 2000
On 20 Dec 00, at 15:39, Colin Madere wrote:
>
> A note about encrypting XML messages:
>
> If you just want to prevent joe-user from reading messages on his
> network, that's fine, but encrypting the XML tags gives a real
> attacker huge clues since he will _know_ what large pieces of the
> encrypted message are and where they are in the message.
But that's an academic attack. We're probably not talking about
protecting secret conversations of revolutionaries here :).
99% of the time what you want is simply to have your
conversations private. And by using PGP or SSL you can achieve
this, but people don't want to spend a lot of time setting it up.
Remember, any system that involves humans, can be defeated.
And I can think of several attacks where I could defeat the security
of the system without *ever* having to crack the crypto (for
example I could send you a trojan horse Jabber client, capture your
secret key and password, email those to me and then I could set
up PGP as you).
Mark
>
> As for the SSL CPU load you will still have the CPU load of decrypting
> things the server has to read. There are hardware SSL solutions,
> also. Not saying SSL is the way to go, just thought I'd drop the info
> here.
>
> -----Original Message-----
> From: Bernd Eckenfels [mailto:lists at lina.inka.de]
> Sent: Wednesday, December 20, 2000 3:32 PM
> To: jdev at jabber.org
> Subject: Re: [JDEV] stunnell
>
>
> On Wed, Dec 20, 2000 at 12:44:09AM -0500, Sean Wieland wrote:
> > Has anyone tried using stunnel the "universal SSL wrapper" with the
> > Jabber server? If so, with what success and what issues were there?
> > What does everyone think of just using stunnel to add SSL/TSL
> > functionality to Jabber (which seems to be in spirit with Jabber
> > design philosophy).
>
> This is do-able. We can also add SSL to jpoold. The problem here is,
> that SSL is not the best solution since the jabber framework is a
> distributed one. We are much better with Message Encryption and
> Signing. This add such a lot benefits:
>
> - you do not need to trust the routing servers
> - you can archive the messages and verify the sender all times
> - you do not need special spoofing preventions between servers
> - we do not need to spend vauable CPU cycles on servers with SSL
>
> Of course it will chnage the way jabber messages look like, since most
> of the namespaces besides the routing tags will be inside an
> encryption envelop.
>
> Greetings
> Bernd
> --
> (OO) -- Bernd_Eckenfels at Wendelinusstrasse39.76646Bruchsal.de --
> ( .. ) ecki@{inka.de,linux.de,debian.org}
> http://home.pages.de/~eckes/
> o--o *plush* 2048/93600EFD eckes at irc +497257930613 BE5-RIPE
> (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir
> cevinpl!
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>
> ------_=_NextPart_001_01C06ACD.5BB6F210
> Content-Type: text/html;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Diso-8859-1">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 5.5.2652.35">
> <TITLE>RE: [JDEV] stunnell</TITLE>
> </HEAD>
> <BODY>
> <BR>
>
> <P><FONT SIZE=3D2>A note about encrypting XML messages:</FONT>
> </P>
>
> <P><FONT SIZE=3D2>If you just want to prevent joe-user from reading =
> messages on his network, that's fine, but encrypting the XML tags
> gives = a real attacker huge clues since he will _know_ what large
> pieces of = the encrypted message are and where they are in the
> message.</FONT></P>
>
> <P><FONT SIZE=3D2>As for the SSL CPU load you will still have the CPU
> = load of decrypting things the server has to read. There are =
> hardware SSL solutions, also. Not saying SSL is the way to go, =
> just thought I'd drop the info here.</FONT></P>
>
> <P><FONT SIZE=3D2>-----Original Message-----</FONT>
> <BR><FONT SIZE=3D2>From: Bernd Eckenfels [<A =
> HREF=3D"mailto:lists at lina.inka.de">mailto:lists at lina.inka.de</A>]</FON
> T>=
>
> <BR><FONT SIZE=3D2>Sent: Wednesday, December 20, 2000 3:32 PM</FONT>
> <BR><FONT SIZE=3D2>To: jdev at jabber.org</FONT> <BR><FONT
> SIZE=3D2>Subject: Re: [JDEV] stunnell</FONT> </P> <BR>
>
> <P><FONT SIZE=3D2>On Wed, Dec 20, 2000 at 12:44:09AM -0500, Sean =
> Wieland wrote:</FONT> <BR><FONT SIZE=3D2>> Has anyone tried using
> stunnel the = "universal SSL wrapper" with the</FONT>
> <BR><FONT SIZE=3D2>> Jabber server? If so, with what success
> = and what issues were there? </FONT> <BR><FONT SIZE=3D2>> What
> does everyone think of just using stunnel = to add SSL/TSL</FONT>
> <BR><FONT SIZE=3D2>> functionality to Jabber (which seems to be in
> = spirit with Jabber design</FONT> <BR><FONT SIZE=3D2>>
> philosophy).</FONT> </P>
>
> <P><FONT SIZE=3D2>This is do-able. We can also add SSL to jpoold. The
> = problem here is, that</FONT> <BR><FONT SIZE=3D2>SSL is not the best
> solution since the jabber = framework is a distributed</FONT>
> <BR><FONT SIZE=3D2>one. We are much better with Message Encryption and
> = Signing. This add such a</FONT> <BR><FONT SIZE=3D2>lot
> benefits:</FONT> </P>
>
> <P><FONT SIZE=3D2>- you do not need to trust the routing
> servers</FONT> <BR><FONT SIZE=3D2>- you can archive the messages and
> verify the sender = all times</FONT> <BR><FONT SIZE=3D2>- you do not
> need special spoofing preventions = between servers</FONT> <BR><FONT
> SIZE=3D2>- we do not need to spend vauable CPU cycles on = servers
> with SSL</FONT> </P>
>
> <P><FONT SIZE=3D2>Of course it will chnage the way jabber messages
> look = like, since most of</FONT> <BR><FONT SIZE=3D2>the namespaces
> besides the routing tags will be = inside an encryption</FONT>
> <BR><FONT SIZE=3D2>envelop.</FONT> </P>
>
> <P><FONT SIZE=3D2>Greetings</FONT>
> <BR><FONT SIZE=3D2>Bernd</FONT>
> <BR><FONT SIZE=3D2>-- </FONT>
> <BR><FONT SIZE=3D2> (OO) -- =
> Bernd_Eckenfels at Wendelinusstrasse39.76646Bruchsal.de --</FONT>
> <BR><FONT SIZE=3D2> ( .. ) =
> ecki@{inka.de,linux.de,debian.org} <A =
> HREF=3D"http://home.pages.de/~eckes/" =
> TARGET=3D"_blank">http://home.pages.de/~eckes/</A></FONT> <BR><FONT
> SIZE=3D2> o--o *plush* =
> 2048/93600EFD eckes at irc +497257930613
> BE5-RIPE</FONT> <BR><FONT SIZE=3D2>(O____O) When cryptography is
> outlawed, bayl = bhgynjf jvyy unir cevinpl!</FONT> </P>
>
> <P><FONT =
> SIZE=3D2>_______________________________________________</FONT>
> <BR><FONT SIZE=3D2>jdev mailing list</FONT>
> <BR><FONT SIZE=3D2>jdev at jabber.org</FONT>
> <BR><FONT SIZE=3D2><A HREF=3D"http://mailman.jabber.org/listinfo/jdev"
> = TARGET=3D"_blank">http://mailman.jabber.org/listinfo/jdev</A></FONT>
> </P>
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C06ACD.5BB6F210--
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>
>
Mark Wilcox
mark at mjwilcox.com
Got LDAP?
More information about the JDev
mailing list