On 01/24/2011 01:05 PM, Ben Bucksch wrote:
No, actually, that would be a security bug. XMPP (better known as
"Jabber", "Google Talk" etc.) uses DNS SRV lookups to find the hostname
of a server. For the user, the connection just goes to "foo.com". We
make a DNS SRV lookup of _xmpp-client._tcp.foo.com, and find "5 0 5222
jabber.bar.com", so we connect to jabber.bar.com:5222. Yet, the SSL cert
of the server is for "foo.bar", because that's what the user originally
wanted to connect to. This is how SSL is intended to be used, and how
XMPP works, and how all the servers are set up.
That makes a lot of sense.
It does seem odd that the NSS API doesn't allow script to do something
that an active network attacker could possibly achieve by modifying DNS
responses.
- Marsh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
