[jdev] sniffing

Alex Kogan alex at widestep.com
Wed Oct 27 03:18:43 CDT 2004 

Hello Alexey,

 Thank you for your prompt reply, please, help me with the following
 comments.

Wednesday, October 27, 2004, 10:56:43 AM, you wrote:

> В сообщении от Среда 27 Октябрь 2004 11:48 Alex Kogan написал(a):
>> Hi everyone,
>>
>>  I'm  new  to  this  mailing list. And I have a question to all Jabber
>>  developers  concerning  security issues. I'm working on a Jabber-like
>>  protocol  for  one-to-many  chatting, it will be simpler and used for
>>  local  needs  mostly.  I'm  writing a server in PHP and would like to
>>  find  the  best  way  to  protect communication in this protocol from
>>  sniffing.  Is this possible? I was reading through the Jabber RFC and
>>  seems  that  I  should  look  deeper  into  the  TSL and SASL issues.
> TLS provides extra crypto-layer so all data passed forth and back will be
> protected - just like if you working via SSH, for example.
>>  However,  I was not able to get the idea of how these security issues
>>  work  in  practice.  Can  you  help  me  giving a practical advice on
>>  implementing  client-server  communication which is somehow encrypted
>>  and    still    be   possible   to   read   for   server/client   and
>>  sniffing-protected  at  the  same  time?  I  also  had  a  look  into
>>  class.jabber.php  and  its  SendAuth() method, but again, I failed to
>>  get  the  idea  of  md5() encoding. Is the whole conversation encoded
>>  further?
> Old auth uses md5 method for authentication. The password is not decodeable -
> the provided info is just enough only for auth.
>>
>>  Thank  you. Hoping you can help me, at least show the right direction
>>  for me.
> You should really consider using TLS.

 This  is  what  I  cannot  understand  to the bottom of things. Which
 definite  steps  are involved in this usage? How do I start and go on
 with encryption?

> And, BTW - why not use jabber for it? It have support for one-to-many chat. It
> have name Multi-User-Chat (JEP-0045)

 Jabber  protocol  is  very superfluous for our needs, that is why I'm
 going to rework the protocol and add some very reserved functionality
 it does not have now.


-- 
Best regards,
 Alex                            mailto:alex at widestep.com

More information about the JDev mailing list