Comments (8)
Additional. To prevent overloading of servers, you could cache validation
information
for a limited (administrator defined) period of time. So, if an
account/certificate
has been validated in the last 20 minutes, then no additional validation is
needed
for individual wavelets.
Original comment by deven.phillips
on 2 Jun 2009 at 1:02
from wave-protocol.
This would be a great way to block out bots, but what if a server is hacked and
used as
a spamming server. There really needs to be a good way to have the wave-domains
re-
evaluate the server to allow it access to the waves again once it's been
cleaned. As
far I know it's almost impossible on most servers these days to get yourself
whitelisted once blacklisted.
Original comment by [email protected]
on 5 Jun 2009 at 3:24
from wave-protocol.
Folks, in XMPP the server certificates should be checked against the full trust
chain down to the root CA. Self-
signed certificates tell you nothing, so they should not be trusted. I take it
this is what deven.phillips means
by "require validation of domain certificates". It's standard XMPP.
XMPP also requires servers to stamp the sender addresses of individual users,
and for servers to check the
sending domain as well. So it's simply not possible for an entity to fake the
sender address as it is in email.
Yes, rogue servers could join the network, but they can be easily blacklisted.
Please take a little time to read RFC 3920 -- it will answer many of your
questions about XMPP security.
--stpeter
Original comment by [email protected]
on 5 Jun 2009 at 3:49
from wave-protocol.
Keep however in mind the virtual domain problems we have with SSL certificates
and
HTTP. With IPv4 the address space is not that large to give every domain a
unique IP.
SSL certificates for the server, as well for the client to authenticate are very
important on this type of protocol, because of the possible sensitive data
traveling
it. Man in the Middle shouldn't be possible with the system. With HTTP(S) it's
doable
to do MitM. So that point does need attention.
I don't like the user validation part. User validation can lead to
brute-forcing for
allowed users, which will be rather useful for spammers and crackers.
@stpeter,
The Email servers, with current SMTP protocol can also be blacklisted, on where
spammers are sending from, but that will also kill a lot of good connection. So
please be aware to not make the same mistakes we made with the SMTP protocol
and the
security of it.
Original comment by [email protected]
on 20 Jul 2009 at 4:43
from wave-protocol.
Original comment by [email protected]
on 29 Aug 2009 at 2:12
from wave-protocol.
Hello,
I'm astounded by Wave's collaboration potential, but also its immense security
risks.
One huge thing it could do from the get-go is provide for (or better mandate)
all
users/recipients on a Wave are real and legit and all group content is secure.
In
the snail mail context, this means all msg's are digitally signed and content
encrypted. In the Wave context, it could(??) mean that when joining the
conversation
one must login with strong authentication (to include smart cards), that login
has to
be validated by a 3rd trusted party (PKI, certificates), a trustworthy endnode
is
being used (be it a browser version or deep inspection), and the communication
tunnel
protected (https). Likewise, different Wave servers have to be trusted. By
making
these and other simple, common-place efforts, Wave could become a ___TRUSTED___
collaboration environment. This would reduce spam, malware, cyber-crime, and
cyber-espionage yet at the same time increase collaboration.
Kevin the Wave-newbie and DoD cyber-security engineer
Original comment by [email protected]
on 8 Apr 2010 at 5:25
from wave-protocol.
Hello again,
Might there be a better forum in which to discuss Wave security? The Google
Wave
Help forums don't seem to be the best place either.
I see great potential in Wave but it won't be adopted by major organizations
unless
it provides a trusted environment. Bolt-on security costs too much and offers
poor
protection. Wave is simple cloud model but with immense interaction at then
end-
nodes. Many fundamental solutions exist. I'd like to talk more on this
but....
where?
Kevin from spi.dod.mil
Original comment by [email protected]
on 8 Apr 2010 at 5:57
from wave-protocol.
Keven the best place to post your questions is
http://groups.google.com/group/wave-protocol/ You can post messages directly at
the
URL or subscribe to the mail list.
Also, you can find a lot of information at: http://www.waveprotocol.org/
You can start by reading the federation specification.
Original comment by [email protected]
on 8 Apr 2010 at 6:27
from wave-protocol.
Related Issues (20)
- Enhance WIAB login page HOT 1
- Allow using an external server by using a GuiceServletContextListener to register WAIB services HOT 2
- "New Wave" button on the toolbar menu (sometimes) disappears after page refresh HOT 1
- Text inside blips is not wrapped HOT 6
- Text entered into Web client is (sometimes) dropped by the server HOT 1
- Single-clicking a blip causes inline replies to appear at the end of the clicked word
- Delete key should not delete blips HOT 12
- Enable remote logging for WIAB HOT 2
- Enable Data API clients to fetch shared domain waves HOT 2
- Random shiny when entering text into blip HOT 1
- Incorrect unread blip count for "with:@sharedId" queries HOT 2
- Attempt to access wave without being participant causes shiny HOT 1
- Shiny when editing inside indented blips HOT 8
- Random shiny when when clicking on a snippet to load a wave HOT 2
- Shniy when clicking on a blip created with Data API HOT 9
- Timeout loading wavelet on server load. HOT 2
- ConversationThread.isInline is still used in some parts of the codebase
- Implement ROBOT_FOLDER_ACTION service
- Enable local robot registration
- Exception when robots appends text to a blip.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wave-protocol.