[Psi-devel] account defaults don't work for google talk

Thu Mar 1 14:09:43 PST 2007

On Thu, Mar 01, 2007 at 10:45:09PM +0100, Remko Tronçon wrote:
> > Yes it doesn't send it over the TLS+certificates protected XMPP
> > connection but over a TLS+certificates protected HTTP connections.
> > So if we check the certificates for our XMPP connection as secure
> > as we would do it with the HTTP connection it should be the same
> > security wise, and less work to code.
> 
> The problem is that we allow self-signed certificates for XMPP
> servers, because nobody except google has a 'real' certificate. So we
> can't use PLAIN and enforce validation, because we need to allow
> servers that don't have proper certificates (and no, we can't make an
> exception for gmail.com, because there is no way to check whether a
> server is hosted by Google Talk; anybody can use it these days).
> 
> With GOOGLE-TOKEN, we *can* impose that the certificate must validate,
> because there is only one login server, and it is a part of the
> authentication mechanism (not an exception for a server).
> 

We could force users to import their servers certs into psi and
only then use PLAIN over TLS if the user selected the
"plaintext over encrypted" option.

Every xmpp i have accounts on has a cert the is at least signed
by a local CA for TLS¹. So it seems that it's only a matter of 
importing the right CA cert into psi's keystore and everything
is well. 
I think it's realistic to expect that every bigger xmpp server
has the needed certs downloadable at the website.
There's no excuse to use self signed certs at least a local
pseudo CA can be expected. And there's the allow it anyway
option left for the users that have some bad hacky server that
doesn't have usable certs.

 - Martin

¹ at least if psi doesn't accept self signed certs without a 
  warning if ssl warnings are enabled. If it does it's a bug we
  need to fix ASAP.