Improved authentication and security about wave-protocol HOT 8 OPEN

Additional. To prevent overloading of servers, you could cache validation 
information
for a limited (administrator defined) period of time. So, if an 
account/certificate
has been validated in the last 20 minutes, then no additional validation is 
needed
for individual wavelets.

This would be a great way to block out bots, but what if a server is hacked and 
used as 
a spamming server. There really needs to be a good way to have the wave-domains 
re-
evaluate the server to allow it access to the waves again once it's been 
cleaned. As 
far I know it's almost impossible on most servers these days to get yourself 
whitelisted once blacklisted.

Folks, in XMPP the server certificates should be checked against the full trust 
chain down to the root CA. Self-
signed certificates tell you nothing, so they should not be trusted. I take it 
this is what deven.phillips means 
by "require validation of domain certificates". It's standard XMPP.

XMPP also requires servers to stamp the sender addresses of individual users, 
and for servers to check the 
sending domain as well. So it's simply not possible for an entity to fake the 
sender address as it is in email.

Yes, rogue servers could join the network, but they can be easily blacklisted.

Please take a little time to read RFC 3920 -- it will answer many of your 
questions about XMPP security.

--stpeter

Keep however in mind the virtual domain problems we have with SSL certificates 
and
HTTP. With IPv4 the address space is not that large to give every domain a 
unique IP.

SSL certificates for the server, as well for the client to authenticate are very
important on this type of protocol, because of the possible sensitive data 
traveling
it. Man in the Middle shouldn't be possible with the system. With HTTP(S) it's 
doable
to do MitM. So that point does need attention.

I don't like the user validation part. User validation can lead to 
brute-forcing for
allowed users, which will be rather useful for spammers and crackers.

@stpeter,
The Email servers, with current SMTP protocol can also be blacklisted, on where
spammers are sending from, but that will also kill a lot of good connection. So
please be aware to not make the same mistakes we made with the SMTP protocol 
and the
security of it.

Hello,

I'm astounded by Wave's collaboration potential, but also its immense security 
risks.

One huge thing it could do from the get-go is provide for (or better mandate) 
all 
users/recipients on a Wave are real and legit and all group content is secure.  
In 
the snail mail context, this means all msg's are digitally signed and content 
encrypted.  In the Wave context, it could(??) mean that when joining the 
conversation 
one must login with strong authentication (to include smart cards), that login 
has to 
be validated by a 3rd trusted party (PKI, certificates), a trustworthy endnode 
is 
being used (be it a browser version or deep inspection), and the communication 
tunnel 
protected (https).  Likewise, different Wave servers have to be trusted.  By 
making 
these and other simple, common-place efforts, Wave could become a ___TRUSTED___ 
collaboration environment.  This would reduce spam, malware, cyber-crime, and 
cyber-espionage yet at the same time increase collaboration.

Kevin the Wave-newbie and DoD cyber-security engineer

Hello again,

Might there be a better forum in which to discuss Wave security?  The Google 
Wave 
Help forums don't seem to be the best place either.  

I see great potential in Wave but it won't be adopted by major organizations 
unless 
it provides a trusted environment.  Bolt-on security costs too much and offers 
poor 
protection.  Wave is simple cloud model but with immense interaction at then 
end-
nodes.  Many fundamental solutions exist.  I'd like to talk more on this 
but.... 
where?

Kevin from spi.dod.mil

Keven the best place to post your questions is
http://groups.google.com/group/wave-protocol/ You can post messages directly at 
the
URL or subscribe to the mail list.

Also, you can find a lot of information at: http://www.waveprotocol.org/
You can start by reading the federation specification.