[jdev] GSSAPI and service hostname
Justin Karneges
justin-keyword-jabber.093179 at affinix.com
Thu Jan 15 13:30:09 CST 2009
On Thursday 15 January 2009 10:02:24 Matthew A. Miller wrote:
> Besides, XEP-233 isn't any more secure than the SRV lookup.
[...]
> * If you trust the XEP-233 result because you've got a secure channel
> (STARTTLS) and trusted their certificate, then why can't you now trust
> the SRV result?
Hmm, this is an interesting question.
TLS validates the XMPP domain, not the connect host found in the SRV result.
So an attacker could feed you an incorrect SRV result here, and then route
your traffic (as-is, not attacking TLS) to the real XMPP server. This would
be enough for an attacker to cause you to use the wrong host in the Kerberos
negotiation.
However, it's not clear to me if there is a real attack here. With the wrong
host, you may obtain a wrong Kerberos ticket but you'll attempt to use it
with the "right" host which will result in a failed authentication (a DoS).
Maybe if the "right" host has multiple host keys for the "xmpp" service, the
attacker could cause you to successfully authenticate to the wrong XMPP host?
Well, whether that attack is really a problem or not, at least XEP-233 does
close it off.
-Justin
More information about the JDev
mailing list