[jdev] MD5 auth problem
Norman Rasmussen
norman at rasmussen.co.za
Thu May 25 06:58:21 CDT 2006
On 5/25/06, Dave Cridland <dave at cridland.net> wrote:
> On Thu May 25 11:21:36 2006, Norman Rasmussen wrote:
> > Agreed, Psi shouldn't complain about Plain if it's TLS/SSL secured.
>
> Yes it should.
>
> Consider the case where the server is compromised. TLS privacy is
> only good on the wire, so if you use PLAIN (or any plaintext password
> mechanism), you've handed the attacker your password. So unless the
> server cannot be compromised, a client has every right to complain.
>
> If you use DIGEST-MD5, then the attacker only has a plaintext
> equivalent good enough to authenticate with the compromised server,
> and cannot obtain anything better from the authentication process on
> the wire - if the server is compromised, therefore, you've lost
> privacy, but not your password.
mmm, all true. Either way Ulrich's users are going to have to provide
their password in 'plain' format at least once to start using jabber.
(either via a script on the web-site or via sasl or iq plain)
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the JDev
mailing list