possible XMPP SASL bug?
Joe Hildebrand
joe.hildebrand at webex.com
Mon May 3 21:40:29 UTC 2010
On 5/3/10 2:52 PM, "Paul Aurich" <paul at darkrain42.org> wrote:
> Maybe I'm missing something, but couldn't an attacker just swap out all
> the advertised mechanisms for PLAIN and get a plaintext password the
> same way?
Yes. Good point. TLS with good certs FTW.
> FWIW, even though libpurple was/is in violation of XEP-78, the server's
> response could be better, too:
>
> "If the server does not support non-SASL authentication (e.g., because
> it supports only SASL authentication as defined in RFC 3920), it MUST
> return a <service-unavailable/> error. If the client previously
> attempted SASL authentication but that attempt failed, the server MUST
> return a <policy-violation/> stream error (see RFC 3920 regarding stream
> error syntax)."
+1, but that's difficult in this server, since the XEP-78 code isn't even
loaded, and having code loaded just to send this error will be difficult for
me to get into production.
--
Joe Hildebrand
More information about the devel
mailing list