[JDEV] Implementation of JEP-0025 (Jabber HTTP Polling)
Michael F Lin
MFLIN at us.ibm.com
Thu Jun 6 10:35:13 CDT 2002
I agree, and I strongly recommend against the use of JEP-0025 as-is for any
remotely sensitive purposes.
We have been aware of the security problems for two months and have
proposed multiple viable solutions, but nothing has been fixed. This JEP
either needs to be fixed or withdrawn.
The relevant discussion appears here:
http://mailman.jabber.org/pipermail/council/2002-April/000245.html
http://mailman.jabber.org/pipermail/standards-jig/2002-April/000758.html
-Mike
|---------+---------------------------->
| | admin at jabber.fsin|
| | f.de |
| | Sent by: |
| | jdev-admin at jabber|
| | .org |
| | |
| | |
| | 06/06/2002 09:27 |
| | AM |
| | Please respond to|
| | jdev |
| | |
|---------+---------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
| |
| To: jdev at jabber.org |
| cc: |
| Subject: Re: [JDEV] Implementation of JEP-0025 (Jabber HTTP Polling) |
| |
| |
>------------------------------------------------------------------------------------------------------------------------------|
On Thu, 6 Jun 2002, Matthias Wimmer wrote:
> I have enhanced the JabberApplet to support Jabber HTTP Polling and I
> have written a server side implementation as a Java Servlet.
Note JEP-0025 is very insecure (in fact it is less secure than standard
connections with clear text authentification). There were some discussions
and solutions posted to the standards-jep and council mailing list but up
to now there was no response by the jabber.com people.
I think it would be best to implement one of the proposed protocols that
are secure and to patch the clients supporting HTTP polling. It's not that
much work and should be done NOW.
Regards
_______________________________________________
jdev mailing list
jdev at jabber.org
http://mailman.jabber.org/listinfo/jdev
More information about the JDev
mailing list