[JDEV] Implementation of JEP-0025 (Jabber HTTP Polling)

[admin at jabber.fsinf.de]

On Fri, 7 Jun 2002, Joe Hildebrand wrote:

> Next, there *is no way* for me to modify our current product in the
> timeframes involved, due to our existing release cycle.  Once we have a
> standards-track JEP approved, we'll see if we can support it in a future
> version.

Okay. I just wondered why no one from jabber.com commented on the security
issues and/or pointed out how jabber.com intends to act concerning these
issues.

The whole point is that wide-spread implementations of this protocol
should be avoided but without discussion this will be a fait accompli.

> 3) Same as 2, but add some big bold letters that say "THIS PROTOCOL IS
> INSECURE.  ITS USE IS DISCOURAGED."  Frankly, I'm fine with that.

I agree.

I think we should try to set up some standards track JEP quickly. Perhaps
you can refer to that JEP then in JEP-0025 or simply withdraw it.
See discussion in standards-jig.

> I'd like to see more people document protocols that they are using as
> informational,

Of course.

> to at least seed the discussion of what ought to be a standard.

Well, discussion has to take place then. I got no real response when
contacting you even by mail (no offense).

> As I've said to a couple of people, I think that HTTP polling is a security
> nightmare, no matter how it's implemented.

Well now it's a nightmare for both user and firewall admin. With a proper
protocol it's only a nightmare for the firewall admin ;-).

> I believe that if you do your polling over HTTPS, none of the stated attacks
> are possible, as far as I know.

Of course. Polling over HTTPS is both a bandwith and processing power
nightmare for the server though - as you said.

Regards