[JDEV] Jabber Transports - Security issues

[David Waite]

Peter Saint-Andre wrote:

> Well, you can always run your own server. :)
>
> Mark Zamoyta wrote:
>
> > Hello, AOL always brings up security issues when it comes to allowing
> > open access to its IM system.  How does Jabber, or Jabber.org in
> > particular deal with this? Obviously AOL / AIM passwords are stored on
> > the server, but how are they encrypted, and who has access to them on
> > the Jabber.org server?   ie. Can any programmer working on transport
> > related code for jabber.org get their hands on thousands of AOL
> > passwords?  Can anyone setting up their own Jabber system get access
> > to all the AOL passwords stored on their system? Mark

Unfortunately we are limited in what we can do in regards to security due
to the level of indirection required. There is only so much you can do when
you only control half of the security equation. The 'ideal' solution will
be when other systems have interoperability between user domains - when you
don't require people to log into your domain, the problem goes away.

The only other option is a secure 'authentication' stage in the protocol
after the user logs in, where they manually specify their passwords for
other systems in order to log into them, or to move all the logic for each
IM network's password hashing and authentication scheme into the clients.

Until the day that such interserver gateways exist (the ghost of IETF, or
perhaps something publically available and widely implemented from
IMUnified), you will not have a way to securely store information like that
on the server (although it is technically possible to secure some of the
other user information on the server)

-David Waite