default disallow HTTP

Issue #3 new
frank lin
created an issue

Would it be prudent to disallow HTTP by default requiring user to explicitly consent by ticking a box or two?

ref: inherent insecurity of HTTP. Your user's traffic is not encrypted if Z-XMPP is used over HTTP. Use only HTTPS wherever you implement Z-XMPP, or make sure your users are aware that they are using an insecure communications channel.

Comments (1)

  1. Ivan Vučica repo owner

    I consider ZXMPP to be more of a library than an actual end-user-facing client. It just happens to have session serialization facilities that happend to be easy to use.

    One of the installations where I use ZXMPP (and the reason why I wrote it) performs automatic user login using one-time passwords printed directly into HTML. It's, of course, secured over HTTPS. These passwords are expired very quickly.

    This is the primary installation of ZXMPP that I know of, and the primary installation of ZXMPP that happens to use the same bar-type UI shipping with ZXMPP. (I have several other demonstration services that use ZXMPP, although they could just as easily use strophe.)

    So the only place such a checkbox would make sense, in relation to ZXMPP, is in demo.php, which itself (as evidenced by its poor UI) is not meant to be exposed to end-users.

    Is there a particular place that you have in mind where you would add the checkbox? Is there a specific reason why you think adding it there would be prudent?

    Of course, if you also happen to have a specific patch that implements this, I will be happy to accept a (good) pull request. :-)

  2. Log in to comment