On 13.01.2013 09:47, Justin Karneges wrote: > On Saturday, January 12, 2013 01:03:59 PM Jonas Wielicki wrote: >> It seems just natural to me to use XMPP for that purpose, however, I'm a >> bit cautious with just accepting the XMPP servers authentication. I know >> that I'm pretty safe when I'm doing that between my own servers running >> on the same machine, but from outwards I could easily be MITM'd. > > Good point. I think this problem can be mostly solved with TLS and s2s. My > plan, which I have not yet implemented, is to allow setting a "TLS required" > flag on any whitelisted JID. The XMPP server itself would not enforce TLS, > and > instead negotiate it opportunistically, but I'd need to hack it to tell my > server app whether an incoming stanza arrived from a TLS-protected stream or > not, so that my server app could make the choice of whether to accept or > reject.
In that case, you have to make sure that your server properly validates certificates and such, which won't work with all other servers. See gtalk, which doesn't do any s2s TLS. There has been some discussion on the operator list about the topic of certificates and trust a few weeks ago, which started about here[1]. -- Jonas [1]: http://mail.jabber.org/pipermail/operators/2012-December/001540.html _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
