[Psi-devel] account defaults don't work for google talk
Remko Tronçon
remko at el-tramo.be
Thu Mar 1 13:45:09 PST 2007
> Yes it doesn't send it over the TLS+certificates protected XMPP
> connection but over a TLS+certificates protected HTTP connections.
> So if we check the certificates for our XMPP connection as secure
> as we would do it with the HTTP connection it should be the same
> security wise, and less work to code.
The problem is that we allow self-signed certificates for XMPP
servers, because nobody except google has a 'real' certificate. So we
can't use PLAIN and enforce validation, because we need to allow
servers that don't have proper certificates (and no, we can't make an
exception for gmail.com, because there is no way to check whether a
server is hosted by Google Talk; anybody can use it these days).
With GOOGLE-TOKEN, we *can* impose that the certificate must validate,
because there is only one login server, and it is a part of the
authentication mechanism (not an exception for a server).
cheers,
Remko
More information about the psi-devel
mailing list