Hi all. I have wildfire 3.1.0 installed. Clients can only connect to the server using secured connections. But, one of my clients wrote his own sniffer for jabber. He gave video about server hacking. See it here http://rapidshare.com/files/12471562/-jabber.avi.html
May be I don’'t understand something… But I thought that all traffic from server to client was encrypted. Or may I wrong and encrypted only autorization process?
the video is silly. At 0:37 one can see that the client did display a secure connection (closed lock next to nick name).
At 1:34 when the “hacker” is successful no lock is displayed, and one can see the plaintext messages also in the scrolling window - so that’'s not a hack.
It seems that the small program does also send a RST or something else to terminate the existing TLS connection and then filters the starttls message so one can not create a TLS encrypted session.
As he has full control of his own computer he can install a hook which sniffs and modifies network packets - this is lame.
==> So Jivesoftware (and other jabber client vendors) should really add a “require TLS” option in Spark (jabber clients), better no connection than an unencrypted one.
Couldn’'t you just configure Wildfire to require secure client connections?
At which point, the app of his would terminate the session and Spark wouldn’'t be able to reconnect until it stopped filtering the traffic to prevent an SSL connection.
as he can break only the connection of his client it does not matter. He could also shutdown and restart the client as he needs administrative rights on his computer to do this.