Seth Godin has this truly wonderful blog which is always very interesting to read and this piece advice is true gold.
Tuesday, July 31, 2007
Wednesday, July 18, 2007
In my previous post here about XMPP I had linked to a blog (here) that describes the X-GOOGLE-TOKEN mechanism of authentication. dJOEk asks a question "Why does Google use a proprietary authentication mechanism" and then goes on to make a point about how X-GOOGLE-TOKEN could be one of the first steps twoards a Single Sign On solution from Google. This point of view has received a lot of coverage with a several people commenting about the merits of this idea or its feasibility.
I have recently noticed another possible reason for X-GOOGLE-TOKEN to be made available and this is what I am putting forth here -
I had written in my blog that when I tried to sniff out the conversation between Google Talk and the server using Ethereal I found that it was using TLS and not X-GOOGLE-TOKEN and therefore all conversation was encrypted. Several people have since asked for ways around this but the whole point of TLS is to prevent such sniffing and decryption is practically (at least to me) impossible.
Since then my current company has installed an auditing software (I know :-() for compliance reasons and interestingly Google Talk is back to using X-GOOGLE-TOKEN. When using X-GOOGLE-TOKEN only the authentication part goes over TLS while the rest of the conversation does not which means that conversations are in plain text and can be intercepted, audited and archived. So, another possible reason for supporting a different authentication mechanism could be to be able to support auditing and monitoring software?