XEP-0065 (Socks5 Bytestreams) states in the "security considerations"
section that "negotiation of [SSL/TLS] is outside the scope of this
document". I believe this is no longer valid. For example, consider
XEP-0189 (Public Key Publishing), and how the XMPP protocol could be
used to help enable TLS encryption using self-signed certificates.
I'd like to present a modest change to the protocol, which is
backwards compatible, that would enable two clients to secure a
bytstream connection, with the help of XMPP.
It only involves 2 changes:
1) The initiator informs the target that it supports encryption of the
bystream connection. This can simply be tacked onto the initial
message sent from initiator to target (section 4.5). Here is one
simple example of how this might be done:
<iq type='set'
from='[email protected]/foo'
to='[email protected]/bar' id='initiate'>
<query xmlns='http://jabber.org/protocol/bytestreams'
sid='mySID'
mode='tcp'
encryption="yes">
<streamhost jid='streamhostproxy.example.net'
host='24.24.24.1'
port='5086'/>
</query>
</iq>
2) When the target tells the initiator which streamhost it used
(section 4.7), it simply sends it's public key in the message. This
might be done like so:
<iq type='result'
from='[email protected]/bar'
to='[email protected]/foo'
id='initiate'>
<query xmlns='http://jabber.org/protocol/bytestreams'>
<streamhost-used jid='streamhostproxy.example.net'/>
<publicKey>5AF9...[publicKeyInHex]...2C4</publicKey>
</query>
</iq>
The initiator and target can now secure their connection using SSL/
TLS. The initiator will simply allow self-signed certificates, and
then, upon successful TLS handshake, it will make sure the public key
used matches the public key it received via XMPP.
-Robbie Hanson
-Deusty Designs
