[jdev] Why STARTTLS? [was: IMPORTANT www.jabber.org software listings]

Jefferson Ogata Jefferson.Ogata at noaa.gov
Mon Feb 25 19:24:46 CST 2008 

On 2008-02-26 00:55, Dave Cridland wrote:
> I usually hate receiving responses like this one, but they're 
> nonetheless true:
> 
> The great StartTLS vs special-socket debate was over something like 10 
> years ago - possibly more, actually. Even in protocols which don't offer 
> the server id negotiation prior to TLS, as in XMPP, there are other 
> benefits, and these are, IIRC, documented in RFC 2595. Reopening this 
> debate is going to frustrate you, and annoy other people.

I strongly disagree with that statement, and I could equally state that 
the "debate is over" and resolved against STARTTLS; in fact, I've 
already presented argument for this. This started with the question "why 
STARTTLS?" and so far, the response has been, "Because." If you think 
the debate is over, surely you can do better.

RFC 2595 defines STARTTLS for a couple of protocols. It doesn't dispense 
with the debate; on the contrary, it is loaded with additional 
requirements for server and client behavior just for the purpose of 
protecting credentials where STARTTLS is used.

I spend entirely too much time trying to protect credentials in 
STARTTLS-based protocols. Anyone in the position of actually trying to 
keep clients from sending credentials in the clear fully understands the 
dramatic inferiority of STARTTLS. If all code were perfect, maybe this 
would be less so. Reality is that a lot of people (perhaps most) write 
crap code.

Encrypt first; ask questions later. People who don't understand this 
don't frustrate or annoy me--I just don't think much of them.

> There is an advantage to socket based TLS, however, which is usually 
> overlooked - it's fewer round-trips. We'll hopefully address this in due 
> course on standards@, though.

If the protocol provided certificate CN prenegotiation there would be at 
least *one* argument in favor of using STARTTLS. If, as you say, XMPP 
provides no such capability, then it's a no-brainer that STARTTLS is the 
WRONG approach. I know you hate receiving responses like these, but they 
are nonetheless true.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service

More information about the JDev mailing list