[JDEV] MSNP8 Security Enhancement

Andrew Sayers andrew-list-jabber-jdev at ccl.bham.ac.uk
Thu Sep 11 21:10:15 CDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Sep 11, 2003 at 05:45:03PM -0700, harmeet_im at kodemuse.com wrote:
> Pre MSN P8 authentication was based on client computing a secure hash
> and sending it to the server, but the new SSL authentication requires
> you to send the password over SSL. ie. the Password is actually sent
> to one of n servers. This appears (to me) to actually reduce security.
> 
> - Password is sent to remote location.

True for both MD5 and SSL.  However, sniffing an MD5 authentication is
trivial, and brute-forcing your password from that won't take long.

> - If password is relayed from destination SSL server to one or more
>   upstream servers, my password(not obfuscated hash) is sent to more
>   nodes.

What makes you think your password was previously sent between MS's
servers hashed?  Even if it was, the hash would also need to be
transmitted in order for it to be useful.

> - SSL is prone to man in the middle attack.

SSL version 1 is prone to men in the middle.  Version 2 (used, IIRC, by
MSNP8) fixes that problem.

>                                             So one can insert an SSL
>   Server that appears to be the destination. This can be done if the
>   DNS is compromised. (This could be done at network level, hosts file
>   etc.)

If you're talking about DNS spoofing individual clients, you can already
do that with MSNP7.  If you're talking about spoofing MS's servers, I
suspect anyone who could breach their defences that much could do far
more interesting things than grab Messenger passwords.

>         SSL on client side may verify destination servers identity
>   against a truststore but that is vulnerable too. :-( If the SSL
>   Server can be mimicked basically the attacker can create a proxy,
>   appear like the real destination and slurp all passwords.

As I understand it, mimicking an SSL client or server requires you to
steal their private key.  Again, anyone that good would have better
things to do.

>                                                             My point
>   is that MS has actually reduced security by forcing people to send
>   their password over network instead of hash of password.

Granted, the new system isn't perfectly secure, but I don't see how this
introduces any new weaknesses that weren't present before.

	- Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: The following is method of proving my identity.  For more information, see http://www.gnupg.org.  E-mail {andrew-go-away at ccl.bham.ac.uk} if you don't want this.

iD8DBQE/YSsFUjUCivGf+MsRAvcDAJ0QeiDQ3Hpqdn/K+nA8WxkIEu+zLwCfW46J
bm3X4ifLpRXLtEFh5Y7T+sA=
=37TE
-----END PGP SIGNATURE-----

More information about the JDev mailing list