[JDEV] Which to pick, "HTTP proxy passthrough" or JEP-0025?
Hiroaki Nakamura
hnakamur at v003.vaio.ne.jp
Sat Jul 27 03:30:30 CDT 2002
Hi Matthias!
Matthias Wimmer wrote:
> HTTP proxy passthrough is easier to implement because it uses a
> persistent TCP/IP connection but not all proxies support it.
> JEP-0025 is a bit harder to implement but should be supported by nearly
> all proxies. But the con are security problems: If you can sniff the
> session ID you can steal the connection, change the user's password, ...
What about performance? I think HTTP proxy passthrough may be faster.
As for security problems, JEP-0025 with https would be no problem?
1.client -"connect jabber.org:443"-> HTTP proxy
2.proxy --> jabber.org:443
3.jabber.org:443 --> jabber.org:5222 or jabber.org:5223
If proxy allows the port other than 443 outbound, then this can
be simpler:
1.client -"connect jabber.org:5223"-> HTTP proxy
2.proxy --> jabber.org:5223 with modified jabberd
The modification is similar to one for "HTTP proxy passthrough".
The server will parse HTTP headers, and prepend response headers.
Is this modification easy to implement?
Also I wonder whether the security problems does exist in normal
Exodus xml protocol (port 5222). If you can sniff the digested
password, is it possible to change the user's password?
It seems to me that both options ("HTTP proxy passthrough" and JEP-0025)
should be implemented and let users have a choice, until better method
will be found.
PS. At Exodus sourceforge site, I have submitted two patches
http://sourceforge.net/tracker/index.php?func=detail&aid=587361&group_id=2049&atid=202049
http://sourceforge.net/tracker/index.php?func=detail&aid=587373&group_id=2049&atid=202049
and one request.
http://sourceforge.net/forum/forum.php?thread_id=710505&forum_id=5896
Please check it out > all.
--
)Hiroaki Nakamura) hnakamur at ec-one.com
More information about the JDev
mailing list