[JDEV] Implementation of JEP-0025 (Jabber HTTP Polling)

[Peter Millard]

Mike -

> I agree, and I strongly recommend against the use of JEP-0025 as-is
> for any remotely sensitive purposes.
>
> We have been aware of the security problems for two months and have
> proposed multiple viable solutions, but nothing has been fixed. This
> JEP either needs to be fixed or withdrawn.

*disclaimer: I am employed by Jabber, Inc* :)

JEP-25 is INFORMATIONAL! It won't be withdrawn as it's not standards track.
The whole idea behind informational JEPS is that they allow companies (like
Jabber, Inc.) to document the protocol extensions that they build, so other
people in the jabber community can use and build other products to them (if
they so desire). It's unlikely that this JEP will change since it reflects a
currently deployed product (good bad or ugly :).

Someone needs to take JEP-25 as a base, and create a new STANDARDS track JEP
that fixes the security holes in the current implementation and submit it.
Then client authors (like myself) can choose to implement either JEP-25, the
new standards JEP, or both.

Hope this makes sense.

Peter M.