Another entry in the internet security hall of shame....
Alaric Dailey
alaricd at pengdows.com
Wed Aug 24 15:50:38 EDT 2005
Tim Dierks wrote:
>[resending due to e-mail address / cryptography list membership issue]
>
>On 8/24/05, Ian G <iang at systemics.com> wrote:
>
>
>>Once you've configured iChat to connect to the Google Talk service, you may
>>receive a warning message that states your username and password will be
>>transferred insecurely. This error message is incorrect; your username and
>>password will be safely transferred.
>>
>>
>
>iChat pops up the warning dialog whenever the password is sent to the
>server, rather than used in a hash-based authentication protocol.
>However, it warns even if the password is transmitted over an
>authenticated SSL connection.
>
>I'll leave it to you to decide if this is:
> - an iChat bug
> - a Google security problem
> - in need of better documentation
> - all of the above
> - none of the above
>
> - Tim
>
>
>
>
Judging by the log (captured using Trillian), google talk is using TLS,
thus the Legacy SSL support isn't there, but plain text authentication is ok
[14:23] *** Creating connection "alaricd at gmail.com/Trillian"
[14:23] *** Server supports TLS encryption...
[14:23] *** Negotiating XMPP SSL connection...
[14:23] *** Connection established using EDH-RSA-DES-CBC3-SHA (TLSv1/SSLv3)
[14:24] *** Attempting to authenticate using PLAIN
[14:24] *** Authenticated.
[14:24] *** You have successfully connected to Jabber.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2911 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050824/5ebf2c89/attachment.bin>
More information about the cryptography
mailing list