[jdev] sniffing

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Wed Oct 27 03:14:55 CDT 2004 

On Wednesday 27 October 2004 12:56 am, Alexey Nezhdanov wrote:
> В сообщении от Среда 27 Октябрь 2004 11:48 Alex Kogan написал(a):
> >  However,  I was not able to get the idea of how these security issues
> >  work  in  practice.  Can  you  help  me  giving a practical advice on
> >  implementing  client-server  communication which is somehow encrypted
> >  and    still    be   possible   to   read   for   server/client   and
> >  sniffing-protected  at  the  same  time?  I  also  had  a  look  into
> >  class.jabber.php  and  its  SendAuth() method, but again, I failed to
> >  get  the  idea  of  md5() encoding. Is the whole conversation encoded
> >  further?
>
> Old auth uses md5 method for authentication. The password is not decodeable
> - the provided info is just enough only for auth.

Was there an older authentication method that used MD5?  I'm only aware of the 
old iq:auth, which uses SHA1.  The modern auth is SASL-based.

> >  Thank  you. Hoping you can help me, at least show the right direction
> >  for me.
>
> You should really consider using TLS.

SASL would be even easier (if PHP can do it...).  But yes he should definitely 
use one of these at least.  No sense in making a new security protocol.

-Justin

More information about the JDev mailing list