[JDEV] Security and debug
Thomas Muldowney
temas at box5.net
Thu Jun 13 14:28:52 CDT 2002
DJ is right, and this is why I tell people to only use SSL when they are
in a closed controlled environment. The SSL is there to protect he data
while it is on the wire, no where else. It only really makes sense in
an environment where all clients are connected with SSL and there is no
s2s traffic.
--temas
On Thu, 2002-06-13 at 13:15, DJ Adams wrote:
> On Thu, Jun 13, 2002 at 11:10:38AM -0500, Ed Giesen wrote:
> > I have been getting a jabberd working with ssl. During my playing around, I
> > noticed that when jabberd is invoked with -D, and clients are using ssl, the
> > debug output still prints out messages, decrypted.
> >
> > I was wondering if this situation has been discussed at all. I know that
> > some information is needed when debugging, even in a secure site, but, is
> > chat content ever needed?
>
> I'm sure there will be lots of different opinions about this; here's
> mine (keeping in mind that these are answers to your / my (imaginary)
> colleagues):
>
> - SSL is to protect the data in transit, not on the server itself
> - it's not just chat messages that go through and need to be debugged
> it's other traffic too (Jabber isn't just IM" ;-)
> - production servers shouldn't be run with -D
> - correspondents have the option of encrypting their messages, independent
> of whether the conduit itself is encrypted - see jabber:x:encrypted
> - it's not just the -D log that shows chat messages in 'plain' view; what
> about messages that are stored in the event of the recipients' absence?
> (this one's a double-edged sword :-)
>
> cheers
> dj
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
More information about the JDev
mailing list