[Psi-devel] account defaults don't work for google talk
textshell-I1QKlO at neutronstar.dyndns.org
textshell-I1QKlO at neutronstar.dyndns.org
Thu Mar 1 13:37:13 PST 2007
On Thu, Mar 01, 2007 at 10:30:42PM +0100, Remko Tronçon wrote:
> > GOOGLE-TOKEN doesn't give us anything security wise. The api is
> > plaintext over SSL. So we can use SASL PLAIN directly, nothing
> > gained by going over https, only more possibility to get a SSL
> > cert checking wrong.
>
> GOOGLE-TOKEN never sends your username or password over the
> connection. It gets a token out of band via https (which is secured
> using certified certificates), and uses this token to authenticate. So
> comparing it with PLAIN is not really correct AFAIK.
>
Yes it doesn't send it over the TLS+certificates protected XMPP
connection but over a TLS+certificates protected HTTP connections.
So if we check the certificates for our XMPP connection as secure
as we would do it with the HTTP connection it should be the same
security wise, and less work to code.
More information about the psi-devel
mailing list