[ejabberd] BOSH pre-binding state of the art

Daniel Dormont dan at greywallsoftware.com
Sun Mar 4 21:46:03 MSK 2012


On Sun, Mar 4, 2012 at 5:27 AM, Stefan Strigler <steve at zeank.in-berlin.de>wrote:

>
> Am 04.03.2012 um 04:09 schrieb Daniel Dormont:
>
> > Thanks for this, it works great on my system (I'm on a sort of
> hybridized 2.1.6 at the moment).
> >
> > And thanks also to Stefan for supporting it in JSJaC.
>
> :)
>
> >
> > One thing while I'm thinking of it - if I wanted to add the "key"
> capability in there, what would be the right place to put it?
> >
>
> That's a tough one because ejabberd needs 'keys' right from the beginning
> when initializing the session. So the pre-bind would have to hand over the
> initial set of keys to jsjac somehow. And that's what would make the
> approach totally useless probably as this set of keys can't be trusted
> anymore afterwards. Better to "just" use SSL in order to protect your
> session.
>
>
Fair enough. My production system already uses SSL, which now that I think
it through, means there should be no way short of brute force for a client
to compute another's SID, which makes the key kind of redundant.

dan


> Greets, Stefan
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20120304/bd2735f6/attachment.html>


More information about the ejabberd mailing list