[JDEV] MSNP8 Security Enhancement

harmeet_im at kodemuse.com harmeet_im at kodemuse.com
Thu Sep 11 19:45:03 CDT 2003 

Pre MSN P8 authentication was based on client computing a secure hash
and sending it to the server, but the new SSL authentication requires
you to send the password over SSL. ie. the Password is actually sent
to one of n servers. This appears (to me) to actually reduce security.

- Password is sent to remote location.
- If password is relayed from destination SSL server to one or more
  upstream servers, my password(not obfuscated hash) is sent to more
  nodes.
- SSL is prone to man in the middle attack. So one can insert an SSL
  Server that appears to be the destination. This can be done if the
  DNS is compromised. (This could be done at network level, hosts file
  etc.) SSL on client side may verify destination servers identity
  against a truststore but that is vulnerable too. :-( If the SSL
  Server can be mimicked basically the attacker can create a proxy,
  appear like the real destination and slurp all passwords. My point
  is that MS has actually reduced security by forcing people to send
  their password over network instead of hash of password.

Harmeet

PS:
Sorry about changing topic on thread, but this had nothing to do with
yahoo. Also last email got partially sent. (I am trying to get used to a
different mail client).


----- Original Message -----
From: Tijl Houtbeckers <thoutbeckers at splendo.com>
Sent: Sep 12, 2:11 AM

> Matthias Wimmer <m at tthias.net> wrote on 12-9-2003 1:21:10:
> >
> >Hi Andrew!
> >
> >Andrew Sayers schrieb am 2003-09-11 15:31:27:
> >> > Note: Protocol change in MSN is due some security issues, AFAIK.
> >> For the record, MS claim there is a security weakness in older 
> >> versions of the protocol, which they haven't disclosed.  I assume 
> >> they'll tell us about it once it's no longer a live issue.
> >
> >I am not really sure if there is a real security problem in the old
> >protocol. But we'll see if they tell us about a real one after it has
> >been shut down.
> 
> Well it depends on how you look at it. Microsoft wants people to 
> upgrade to a version of the protocol that uses SSL, so they when they 
> choose they can start depending on client-side SSL certificates to know 
> who their users are. Since you can't do that with the old protocol from 
> that perspective you could call it "insecure". 
> 
> -- 
> Tijl Houtbeckers
> Software Engineer @ Splendo
> The Netherlands
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev

More information about the JDev mailing list