huima

Forcing Spark to check server certificates

Discussion created by huima on Feb 23, 2007

Hi guys,

 

I just posted comments to the Spark support-side - but realised that this would be better forum:

 

http://www.igniterealtime.org/forum/thread.jspa?messageID=141011&#141011

 

I work at a quite large university and am currently evaluating / pushing Jabber as a standardised IM first for small internal pilot and later on for the whole university. I''ve had excellent experiences with a small team using Wildfire and numerous different clients, but now that we started to look a more serious pilot case -- I stumbled upon this.

 

Please do correct me if I am wrong, but if wouldn''t current situation make it quite trivial to do man in the middle attacks towards Wildfire - if clients ( including Spark ) do not check certificates and quite blindly accept self signed certificates as it happens with the default installation.

 

What I would like to see is that Spark would have an easy way for user to allow self signed certs or force checks - and easy way to visually check that yes - this server is who it says it is, and that is guaranteed by our CA.

 

Any thoughts on whether that is a good idea and how it could be implemented, and/or if I have misunderstood something completely about how to create a secure IM enviroment with Wildfire and Spark.

Outcomes