Another entry in the internet security hall of shame....
Trei, Peter
ptrei at rsasecurity.com
Thu Aug 25 09:42:47 EDT 2005
> -----Original Message-----
> From: owner-cryptography at metzdowd.com
> [mailto:owner-cryptography at metzdowd.com]On Behalf Of Peter Saint-Andre
> Sent: Wednesday, August 24, 2005 4:56 PM
> To: cryptography at metzdowd.com
> Subject: Re: Another entry in the internet security hall of shame....
>
>
> Tim Dierks wrote:
> > [resending due to e-mail address / cryptography list
> membership issue]
> >
> > On 8/24/05, Ian G <iang at systemics.com> wrote:
> >
> >>Once you've configured iChat to connect to the Google Talk
> service, you may
> >>receive a warning message that states your username and
> password will be
> >>transferred insecurely. This error message is incorrect;
> your username and
> >>password will be safely transferred.
> >
> >
> > iChat pops up the warning dialog whenever the password is
> sent to the
> > server, rather than used in a hash-based authentication protocol.
> > However, it warns even if the password is transmitted over an
> > authenticated SSL connection.
> >
> > I'll leave it to you to decide if this is:
> > - an iChat bug
> > - a Google security problem
> > - in need of better documentation
> > - all of the above
> > - none of the above
>
> It seems Google is assuming that SASL PLAIN is acceptable once you've
> completed STARTTLS on port 5222 (or if you've connected via
> SSL on the
> old-style port 5223). Decide for yourself if that's "secure"
> and whether
> the iChat warning is justified.
>
> Peter
>
> --
> Peter Saint-Andre
> Jabber Software Foundation
> http://www.jabber.org/people/stpeter.shtml
Ironically, Peter's message above kicked off warning
dialogs from MS Outlook, since it was signed using a keypair
signed with Peter's own self-signed root, which was not in
MSO's list of trusted
roots.
Self-signed certs are only useful for showing that a given
set of messages are from the same source - they don't provide
any trustworthy information as to the binding of that source
to anything.
Peter Trei
(not digitally signed, and not pretending to be)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list