On 13.02.2017 21:57, Travis Burtrum wrote:
On 02/13/2017 02:26 PM, Ruslan N. Marchenko wrote:
So security here will be just in the sense "all or nothing" -
either you pass through (non-paranoid) or not (paranoid).
That's not true though, there are firewalls in practice today that only
allow HTTP on port 80, and only TLS on port 443, but do not MITM TLS.
Yes, and that's what written as XEP's use-case - how to abuse corporate
firewall by masking im/p2p software to legitimate business traffic (https).
This is not fair, and if I were CSO who found out such "use-case" in the
network I'd just ordered to block pass-through TLS pushing people to use
either explicit or implicit (transparent) proxy.
With all due respect and honesty I thought times when there was separate
port for encrypted/non-encrypted traffic are passed by replaced by
start-tls concept.
<required/> starttls feature is quite transparent and flexible, if
someone strips it - server just refuses progressing the handshake.
I don't understand what do we need to hide here by summoning port 5223
from the oblivion.
If TLS is MITM'd with a custom CA installed on your device then TLS
doesn't protect you from the MITM of course, and this won't address that.
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
