I agree, and I strongly recommend against the use of JEP-0025 as-is for any remotely sensitive purposes.
We have been aware of the security problems for two months and have proposed multiple viable solutions, but nothing has been fixed. This JEP either needs to be fixed or withdrawn. The relevant discussion appears here: http://mailman.jabber.org/pipermail/council/2002-April/000245.html http://mailman.jabber.org/pipermail/standards-jig/2002-April/000758.html -Mike |---------+----------------------------> | | [EMAIL PROTECTED]| | | f.de | | | Sent by: | | | jdev-admin@jabber| | | .org | | | | | | | | | 06/06/2002 09:27 | | | AM | | | Please respond to| | | jdev | | | | |---------+----------------------------> >------------------------------------------------------------------------------------------------------------------------------| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: Re: [JDEV] Implementation of JEP-0025 (Jabber HTTP Polling) | | | | | >------------------------------------------------------------------------------------------------------------------------------| On Thu, 6 Jun 2002, Matthias Wimmer wrote: > I have enhanced the JabberApplet to support Jabber HTTP Polling and I > have written a server side implementation as a Java Servlet. Note JEP-0025 is very insecure (in fact it is less secure than standard connections with clear text authentification). There were some discussions and solutions posted to the standards-jep and council mailing list but up to now there was no response by the jabber.com people. I think it would be best to implement one of the proposed protocols that are secure and to patch the clients supporting HTTP polling. It's not that much work and should be done NOW. Regards _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
