[jdev] GSSAPI and service hostname
Peter Saint-Andre
stpeter at stpeter.im
Thu Jan 15 11:19:44 CST 2009
Justin Karneges wrote:
> On Thursday 15 January 2009 08:51:30 Peter Saint-Andre wrote:
>> As we discussed in the jdev room yesterday, I think you would use the
>> machine-name that you discovered via SRV lookup:
>>
>> http://logs.jabber.org/jdev@conference.jabber.org/2009-01-14.html#16:01:06
>
> Yes, this is the consensus.
>
> There is, however, some worry about DNS-based attacks, since the connect host
> is derived insecurely through the SRV lookup.
Correct.
> One obvious but totally
> impractical fix is to use DNSSEC.
DNSSEC is seeing more deployment, but it's taking a long time. I don't
know that I'd call it totally impractical, though.
> Another is to use XEP-233.
AFAIK, no servers implement that yet, and in any case it was designed
for a slightly different use case (basically situations in which DNS SRV
results don't tell you the hostname of the connection manager you're
talking to because load balancers are in use).
> Yet another is
> to offer some explicit trust mechanisms in the client (e.g. a field where the
> user can type the connect host in advance, to mark as trusted).
Right. This is similar to how some clients handle such things now. See
rfc3920bis for details:
http://xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-08.html#tcp-resolution
/psa
More information about the JDev
mailing list