Hi Hiroaki! (Sorry for not being famillar with Japanese names. What part of the name should I use for English internet greetings?)
Hiroaki Nakamura wrote: >What about performance? I think HTTP proxy passthrough may be faster. > Sure ... with proxy passthrough the server can push you new XML packets when they are available. With JEP-0025 it has to wait for the client polling the information. But it's a real problem that this method is not supported by all proxies (because it violates the RFCs not to send a Content-Length header with a POST or PUT request). E.g. it's not possible to use this with out-of-the-box squish. >As for security problems, JEP-0025 with https would be no problem? >1.client -"connect jabber.org:443"-> HTTP proxy >2.proxy --> jabber.org:443 >3.jabber.org:443 --> jabber.org:5222 or jabber.org:5223 > Yes, this would be no problem. But I would layer it up the other way round: Make your polls with http and use a jabber-ssl connection over it. You don't have to reestablish the SSL context with every poll then. >If proxy allows the port other than 443 outbound, then this can >be simpler: >1.client -"connect jabber.org:5223"-> HTTP proxy >2.proxy --> jabber.org:5223 with modified jabberd > With the proxy-connect method you get a plain connection to the server and don't need to modify the jabberd. The only problem with it is that most proxies only accept connections to port 443 (this can be configured, but in most of the cases you don't have control over the proxy). What I'm doing at my Jabber server (http://amessage.info/) is to listen on port 443 for incoming jabber connections (I'm just forwarding connections to port 443 to port 5222). "CONNECT amessage.info:443" should work with nearly any proxy installation that doesn't block "https". >The modification is similar to one for "HTTP proxy passthrough". >The server will parse HTTP headers, and prepend response headers. >Is this modification easy to implement? > with proxy-connect the proxy server gives you a plain socket connection to the Jabber server. You don't have to change anything at the Jabber server. >Also I wonder whether the security problems does exist in normal >Exodus xml protocol (port 5222). If you can sniff the digested >password, is it possible to change the user's password? > No ... the problem is not that you can sniff the old password but that the JEP-0025-polling session is "protected" by a Session ID that doesn't change within one session. If you get to know this session ID you can send polls with that session ID and the server part of JEP-0025 will think that this is a packet from the authenticated client and will accept it. (And if you are authenticated the Jabber protocol allows you to change your password without knowing the old password.) For short: The security problem with JEP-0025 is that you can take over a connection and send packets to the server that will think they are from the authenticated client. >It seems to me that both options ("HTTP proxy passthrough" and JEP-0025) >should be implemented and let users have a choice, until better method >will be found. > The security problem of JEP-0025 could be fixed. I have written a working extension of JEP-0025 with a protocol that was discussed in this list some weeks ago. But I have never published this because I am not sure if it is right to do that much work to bypass firewalls without being allowed by the admins of these proxies. >PS. At Exodus sourceforge site, I have submitted two patches >http://sourceforge.net/tracker/index.php?func=detail&aid=587361&group_id=2049&atid=202049 >http://sourceforge.net/tracker/index.php?func=detail&aid=587373&group_id=2049&atid=202049 >and one request. >http://sourceforge.net/forum/forum.php?thread_id=710505&forum_id=5896 > And what are they for? Tot kijk Matthias -- Fon: +49-700 77007770 http://matthias-wimmer.de/ Fax: +49-89 312 88654 jabber:[EMAIL PROTECTED] _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
