On 19-03-14 17:27, Olle E. Johansson wrote: Hi Olle,
> Sorry for repeating myself... But a big problem with this that we > need to work together to solve is the ability to validate TLS in > javascript environments. THere has been a lot of work to standardise > how we set up a TLS connection to a server and validate the cert with > the address we want to reach. > > In the browser environment our application is in the dark. We just > have to trust the browser. Will an application using BOSH or > Websockets even know if the connection is protected by TLS? I hope I am not repeating an old discussion, but I am wondering how big this problem really is. If you are running a BOSH client from within the browser, you have to trust the integrity of your browser anyway. And even in the case where you use such a client to connect with CORS to a foreign server, you can still tell your client to use https. The browser must warn when the https connection fails for some reason. The only thing that is out of reach, is forcing a certain cipher-set from the browser based client. But that can be mitigated server side. But please let me know if I am missing something here... Winfried
