[JDEV] Kid-safe messaging: [was buddy icons]
David Bovill
david.bovill at opn-technologies.com
Wed Apr 11 07:57:33 CDT 2001
Interesting post (thanks):
> I suggest that we take this to the 'security' Jabber mailing list.
Is there one - what's the address?
Wouldn't the solution be that all servers and transports have to do some
Public Key based authentication on first connection?
Personally I'm fairly new to messaging and became interested more from the
live XML data communications face of Jabber, and as a result signed up for a
variety of IM "accounts".
I have noticed that I pretty well invariably get spam'd by "Valerie" or
whoever when I sign up for a new account on ICQ ( a few seconds after
signing up)... not good news if you are thinking of building chat into a
kids learning environment.
Can anyone give e an idea of how "they" do this? And what the implications
are for using Jabber in this area are?
> From: kadokev at msg.net
> Reply-To: jdev at jabber.org
> Date: Tue, 10 Apr 2001 09:45:21 -0500 (CDT)
> To: jdev at jabber.org
> Subject: Re: [JDEV] RE: File Transfer [was buddy icons]
>
>> One thing though, once the conversation has been snooped on, isn't the
>> security already totally compromised?
>
> It's a reasomable goal for any system to ensure that passive traffic sniffing
> does not compromise the security, As was mentioned earlier, SSL, PGP, and
> 0K authentication can help assist in reaching this goal.
>
>
> One design 'feature' that I like about Jabber is that all communication
> is user-to-server and not directly user-to-user. This protects the client
> from DOS attacks against your IP address (As is common on IRC) because your
> IP address is never revealed to the client.
>
> Unfortunately, this design means that a malicious server operator can very
> easily sniff, log, and even modify all communications to and from any user
> logged in to that server. Even with PGP you still have traffic analysis, etc.
>
>
> For example, without SSL (and without SSL certificate validation) I can create
> a MITM attack, a XML forwarder that looks like your favorite Jabber server,
> but actually logs/modifies all traffic, or even translates everything you
> say into pig latin. I was hoping to release my proof of concept for this on
> April 1st...
>
> I suggest that we take this to the 'security' Jabber mailing list.
>
>
> Kevin Kadow
> MSG.Net, Inc.
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>
More information about the JDev
mailing list