[JDEV] Which to pick, "HTTP proxy passthrough" or JEP-0025?

Sat Jul 27 04:18:38 CDT 2002

Hi Hiroaki!

(Sorry for not being famillar with Japanese names. What part of the name
should I use for English internet greetings?)

Hiroaki Nakamura wrote:

>What about performance? I think HTTP proxy passthrough may be faster.
>
Sure ... with proxy passthrough the server can push you new XML packets
when they are available. With JEP-0025 it has to wait for the client
polling the information. But it's a real problem that this method is not
supported by all proxies (because it violates the RFCs not to send a
Content-Length header with a POST or PUT request). E.g. it's not
possible to use this with out-of-the-box squish.

>As for security problems, JEP-0025 with https would be no problem?
>1.client -"connect jabber.org:443"-> HTTP proxy 
>2.proxy --> jabber.org:443
>3.jabber.org:443 --> jabber.org:5222 or jabber.org:5223
>
Yes, this would be no problem. But I would layer it up the other way
round: Make your polls with http and use a jabber-ssl connection over
it. You don't have to reestablish the SSL context with every poll then.

>If proxy allows the port other than 443 outbound, then this can
>be simpler:
>1.client -"connect jabber.org:5223"-> HTTP proxy 
>2.proxy --> jabber.org:5223 with modified jabberd
>
With the proxy-connect method you get a plain connection to the server
and don't need to modify the jabberd. The only problem with it is that
most proxies only accept connections to port 443 (this can be
configured, but in most of the cases you don't have control over the proxy).
What I'm doing at my Jabber server (http://amessage.info/) is to listen
on port 443 for incoming jabber connections (I'm just forwarding
connections to port 443 to port 5222). "CONNECT amessage.info:443"
should work with nearly any proxy installation that doesn't block "https".

>The modification is similar to one for "HTTP proxy passthrough".
>The server will parse HTTP headers, and prepend response headers.
>Is this modification easy to implement?
>
with proxy-connect the proxy server gives you a plain socket connection
to the Jabber server. You don't have to change anything at the Jabber
server.

>Also I wonder whether the security problems does exist in normal
>Exodus xml protocol (port 5222).  If you can sniff the digested
>password, is it possible to change the user's password?
>
No ... the problem is not that you can sniff the old password but that
the JEP-0025-polling session is "protected" by a Session ID that doesn't
change within one session. If you get to know this session ID you can
send polls with that session ID and the server part of JEP-0025 will
think that this is a packet from the authenticated client and will
accept it. (And if you are authenticated the Jabber protocol allows you
to change your password without knowing the old password.)
For short: The security problem with JEP-0025 is that you can take over
a connection and send packets to the server that will think they are
from the authenticated client.

>It seems to me that both options ("HTTP proxy passthrough" and JEP-0025)
>should be implemented and let users have a choice, until better method
>will be found.
>
The security problem of JEP-0025 could be fixed. I have written a
working extension of JEP-0025 with a protocol that was discussed in this
list some weeks ago. But I have never published this because I am not
sure if it is right to do that much work to bypass firewalls without
being allowed by the admins of these proxies.

>PS. At Exodus sourceforge site, I have submitted two patches
>http://sourceforge.net/tracker/index.php?func=detail&aid=587361&group_id=2049&atid=202049
>http://sourceforge.net/tracker/index.php?func=detail&aid=587373&group_id=2049&atid=202049
>and one request.
>http://sourceforge.net/forum/forum.php?thread_id=710505&forum_id=5896
>
And what are they for?

Tot kijk
Matthias

-- 
Fon: +49-700 77007770		http://matthias-wimmer.de/
Fax: +49-89 312 88654		jabber://mawis@charente.de