[jdev] MD5 auth problem
Hal Rottenberg
halr9000 at gmail.com
Thu May 25 07:56:10 CDT 2006
On 5/25/06, Dave Cridland <dave at cridland.net> wrote:
> On Thu May 25 11:21:36 2006, Norman Rasmussen wrote:
> > Agreed, Psi shouldn't complain about Plain if it's TLS/SSL secured.
>
> Yes it should.
>
> Consider the case where the server is compromised. TLS privacy is
> only good on the wire, so if you use PLAIN (or any plaintext password
> mechanism), you've handed the attacker your password. So unless the
> server cannot be compromised, a client has every right to complain.
At HP, our server (Jabber Inc. XCP) uses TLS+plain. IT found that it
scaled *much* better that way. This is one of those real-world
compromises that security people have to work with sometimes.
But on an intranet you can trust the server moreso than on the Internet.
--
Psi webmaster (http://psi-im.org)
im:hal at jabber.rocks.cc
http://halr9000.com
More information about the JDev
mailing list