[jdev] sniffing

Alex Kogan alex at widestep.com
Thu Oct 28 01:46:30 CDT 2004 

Hello Justin,

 Thank you very much, it is much more clear now. Will look through
 other messages and ask further if I feel the need.

Wednesday, October 27, 2004, 12:08:07 PM, you wrote:

> On Wednesday 27 October 2004 01:26 am, Alex Kogan wrote:
>> Hello Justin,
>>
>> > SASL would be even easier (if PHP can do it...).  But yes he should
>> > definitely use one of these at least.  No sense in making a new security
>> > protocol.
>>
>>  I do not intend to invent a new security protocol, I will rework XMPP
>>  for  my  needs, however, I need some practical advice on implementing
>>  either SASL or TSL to prevent sniffing.

> Get some libraries. :)

> TLS acts as a filter over your entire connection.  When you have data to
> write, you instead write it to your TLS library for encryption first.  When
> data comes from the TCP socket, you pass it to your TLS library to have it
> decrypted.  It acts as a middleman for your socket.  There is an initial
> negotiation phase where optional certificates are exchanged so that both
> parties can identify themselves.  The most common case is for the client to
> not provide one (anonymous), but the server does.  The client will then prove
> who it is later using a separate authentication method over this 
> now-encrypted connection.

> SASL is similar, but it has two phases.  The first step is authentication,
> whereby the client and server exchange blocks of data constructed by each
> others' SASL libraries.  The applications themselves pass this data across as
> defined by the application protocol (for example, in XMPP, the SASL auth
> blocks are Base64-encoded and placed in an XML element).  Once the login is
> complete, the application then runs all further incoming and outgoing data
> through the SASL library (just like how TLS works) to encrypt the connection.

> In XMPP, we generally use TLS for connection encryption, with either SASL or
> some older mechanism for login/password authentication.  The reason for using
> both when SASL should suffice is because SASL is relatively new to the world
> of Jabber.

> -Justin
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mail.jabber.org/mailman/listinfo/jdev



-- 
Best regards,
 Alex                            mailto:alex at widestep.com

More information about the JDev mailing list