Another entry in the internet security hall of shame....
Perry E. Metzger
perry at piermont.com
Fri Aug 26 08:55:05 EDT 2005
Eric Rescorla wrote:
>> Most chat protocols (and Jabber in particular) are server-oriented
>> protocols. So, the SSL certificate in question isn't that of your
>> buddy but rather of your Jabber server.
Adam Back <adam at cypherspace.org> writes:
> Thats broken, just like the "WAP GAP" ... for security you want
> end2end security, not a secure channel to an UTP (untrusted third
> party)!
Remember that Jabber and similar protocols also trust servers to some
extent. Servers store and distribute valuable information like
presence data -- it is architecturally hard to do otherwise. That
means that you also want to be sure you're talking to the right
server (and that the server wants to be sure it is talking to an
authenticated client).
I agree that you *also* want end to end, such as pgp over Jabber
provides. I really wish Gaim supported the pgp over Jabber stuff the
way PSI does...
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list