Avoid sending the "from" JID before starttls (#154)
Unknown opened 2 years ago

Is your feature request related to a problem? Please describe. No, but it would increase user privacy.

When establishing an initial connection to an XMPP server, the following is sent without encryption when a client executes the XmppClient.login() method:

<stream to="[server]" from="[user_jid]" ...>

The user's JID is exposed prior to the starttls proceeding and visible to a passive network observer.

Describe the solution you'd like Restrict sending of from="[user_jid]" before starttls has occurred.

Describe alternatives you've considered I have not identified alternatives. I do not see a way to control whether or not from is sent prior to starttls.

Additional context The Snikket iOS app was used to test, which is based on Siskin. Both appear to use the "Martin" XMPP library, so I hope this is the right place for this feature request.

Unknown commented 2 years ago

Snikket is using an older version of Martin library named TigaseSwift back then.

The current version of the Martin XMPP library has a flag to enable the see-other-host (useSeeOtherHost property in the connectionConfiguration property of the XMPPClient instance) which when set to false will force Martin to stop sending from attribute in the stream opening.

Example:

let client: XMPPClient;
client.connectionConfiguration.useSeeOtherHost = false
issue 1 of 1
Issue Votes (0)
Watchers (0)
Reference
tigase/_libraries/Martin#154
Please wait...
Page is in error, reload to recover