possible XMPP SASL bug?
Joe Hildebrand
joe.hildebrand at webex.com
Mon May 3 19:37:13 UTC 2010
On 5/3/10 8:05 AM, "Evan Schoenberg, M.D." <evan at adium.im> wrote:
> Ah. Your problem is not with trying multiple SASL mechs but rather that we
> have to use jabber:iq:auth even if SASL fails entirely.
Yes.
> A long and detailed discussion of this is found at
> http://trac.adium.im/ticket/8108 - please see
> http://trac.adium.im/ticket/8108#comment:15 and the two following comments, in
> particular.
This points out a downgrade attack that Adium is currently subject to.
Right now, Adium will try to send the server the plaintext password, even if
the server doesn't want it. All I have to do as an attacker to get your
password is contrive a transient login failure through the mechanisms that
the server supports.
I agree that this situation is poorly documented in the standards, and even
more poorly implemented in the servers (seeing as how few of them send the
iq:auth stream feature as XEP-78 requires).
The suggested approach of forcing the user to click an "old-style auth"
button on this account is probably the best we can do. Note: the default
should be the new standard: SASL.
--
Joe Hildebrand
More information about the devel
mailing list