[JDEV] Security and debug
DJ Adams
dj.adams at pobox.com
Thu Jun 13 13:15:42 CDT 2002
On Thu, Jun 13, 2002 at 11:10:38AM -0500, Ed Giesen wrote:
> I have been getting a jabberd working with ssl. During my playing around, I
> noticed that when jabberd is invoked with -D, and clients are using ssl, the
> debug output still prints out messages, decrypted.
>
> I was wondering if this situation has been discussed at all. I know that
> some information is needed when debugging, even in a secure site, but, is
> chat content ever needed?
I'm sure there will be lots of different opinions about this; here's
mine (keeping in mind that these are answers to your / my (imaginary)
colleagues):
- SSL is to protect the data in transit, not on the server itself
- it's not just chat messages that go through and need to be debugged
it's other traffic too (Jabber isn't just IM" ;-)
- production servers shouldn't be run with -D
- correspondents have the option of encrypting their messages, independent
of whether the conduit itself is encrypted - see jabber:x:encrypted
- it's not just the -D log that shows chat messages in 'plain' view; what
about messages that are stored in the event of the recipients' absence?
(this one's a double-edged sword :-)
cheers
dj
More information about the JDev
mailing list