[Telepathy] telepathy-gabble and authenticated SOCKS5 proxy

[Robert McQueen]

Hi John,

webm0nk3y at gmail.com wrote:
> I am still digesting the complexities of how SOCKS5 proxies for
> bytestreams are negotiated.
> I am working on determining if I can use a private proxy server in this
> context and restrict the proxy servers use.
> 
> Authentication is the only way I could think of.

Take a look at part 4.4 of XEP-0065, particularly Example 9. The step
where the XMPP client asks the S5B proxy over XMPP for its network
address is allowed to return a <forbidden/> error if the requesting
client is not allowed to use the proxy.

This means the proxy can have a whitelist of JIDs or servers which it
will relay for, and refuse the others. You could therefore eg allow any
JID on your server, and anyone on any other server who has registered
for the service (and you've authenticated their JID, eg by IMing them a
URL).

This works as far as you trust the XMPP servers you've federated with to
not monkey with you for free relaying. You can also apply whatever
limits you want on the servers you consider trustworthy enough, eg
maintain a whitelist, or only allow federation with servers that use TLS
for S2S, or start out with totally open federation (using DNS dialback)
and look into locking it down further if it becomes a problem.

Regards,
Rob

-- 
Robert McQueen                                 +44 7876 562 564
Director, Collabora Ltd.             http://www.collabora.co.uk