On Fri, 7 Jun 2002, Joe Hildebrand wrote: > Next, there *is no way* for me to modify our current product in the > timeframes involved, due to our existing release cycle. Once we have a > standards-track JEP approved, we'll see if we can support it in a future > version.
Okay. I just wondered why no one from jabber.com commented on the security issues and/or pointed out how jabber.com intends to act concerning these issues. The whole point is that wide-spread implementations of this protocol should be avoided but without discussion this will be a fait accompli. > 3) Same as 2, but add some big bold letters that say "THIS PROTOCOL IS > INSECURE. ITS USE IS DISCOURAGED." Frankly, I'm fine with that. I agree. I think we should try to set up some standards track JEP quickly. Perhaps you can refer to that JEP then in JEP-0025 or simply withdraw it. See discussion in standards-jig. > I'd like to see more people document protocols that they are using as > informational, Of course. > to at least seed the discussion of what ought to be a standard. Well, discussion has to take place then. I got no real response when contacting you even by mail (no offense). > As I've said to a couple of people, I think that HTTP polling is a security > nightmare, no matter how it's implemented. Well now it's a nightmare for both user and firewall admin. With a proper protocol it's only a nightmare for the firewall admin ;-). > I believe that if you do your polling over HTTPS, none of the stated attacks > are possible, as far as I know. Of course. Polling over HTTPS is both a bandwith and processing power nightmare for the server though - as you said. Regards _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
