What's going on with XEP-101: HTTP Authentication Using Jabber
Tickets[2]? It's "Deferred", yet it seems to, more or less, do the
same thing in a better fashion.
Although the HTTP client needs to support a new authentication method,
this seems closer to the ideal. But the authentication itself is
somewhat weak - it's relying on ticket expiration to try to mitigate
replay attacks, and pretty well all of the Security Considerations
section looks a little hand-wavy to my (jaded and cynical) eyes.
Well unfortunately thats because I rather gave up as no one really
seemed interested in it (as well as others being hostile towards it),
but if you can suggest any improvements they would be very welcome, id
be perfectly happy to start work on it again if people are interested in
it and can provide suggestions.
However, the form of the ticket in XEP-0101 is really no better than a
plaintext password, so I'm not too keen on that either - if you're
going to go to the extent of having a new HTTP authentication method,
it seems logical to make it secure.
It is better than a plain text password in that it expires, cannot be
easily faked (unless someone somehow gets hold of your private key), but
it could if sniffed on the wire and then be submitted to the server by
someone else yes, although that could be mitigated to an extent with
extra security verification in the ticket like IP address etc, or even
better require that the key is submitted over an SSL/TLS connection. But
then this is no different really from websites that use cookies for
their session identifiers once you have logged into them, they can be
easily sniffed over the wire and then submitted to the server and the
server will think they are you.
For some background, I created the tickets spec based on what I have
been doing in a jabber client i've been working on that has web based
tabs and dialogs in the interface that require you to be authenticated
to the website with your jabber id to be able to properly interact with
it, XEP-0070 is just not usable for that sort of automatic logging in
and because the browser is embedded in the client its also easy to
implement it without needing to write full blown browser extensions and
it seems to work very well, its also handy not needing to write jabber
components into the webserver or the webpages you are writing, all you
need is to use your languages public key encryption libraries so nothing
particularly custom needs to be done.
Richard
