Another entry in the internet security hall of shame....

Peter Saint-Andre stpeter at jabber.org
Wed Aug 24 16:55:40 EDT 2005


Tim Dierks wrote:
> [resending due to e-mail address / cryptography list membership issue]
> 
> On 8/24/05, Ian G <iang at systemics.com> wrote:
> 
>>Once you've configured iChat to connect to the Google Talk service, you may
>>receive a warning message that states your username and password will be
>>transferred insecurely. This error message is incorrect; your username and
>>password will be safely transferred.
> 
> 
> iChat pops up the warning dialog whenever the password is sent to the
> server, rather than used in a hash-based authentication protocol.
> However, it warns even if the password is transmitted over an
> authenticated SSL connection.
> 
> I'll leave it to you to decide if this is:
>  - an iChat bug
>  - a Google security problem
>  - in need of better documentation
>  - all of the above
>  - none of the above

It seems Google is assuming that SASL PLAIN is acceptable once you've 
completed STARTTLS on port 5222 (or if you've connected via SSL on the 
old-style port 5223). Decide for yourself if that's "secure" and whether 
the iChat warning is justified.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3511 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050824/53692761/attachment.bin>


More information about the cryptography mailing list