[jdev] XMPPloit
Kevin Smith
kevin at kismith.co.uk
Thu Aug 16 10:12:32 UTC 2012
On Thu, Aug 16, 2012 at 10:50 AM, Pedro Melo <melo at simplicidade.org> wrote:
> Hi,
>
> came across this today and I haven't seen it mentioned here:
>
> http://www.pentestit.com/xmpploit-tool-attack-xmpp-connections/
>
> I haven't tested it yet, and the article is strong on claims and light
> on explanations on how it works, so take it with a grain of salt.
The claims they make seem sensible - everyone's known about the
possibility of such downgrade attacks since forever - which is why
clients generally won't allow both PLAIN and non-TLS at the same time.
What clients really need to do is cert pinning and mech pinning to
prevent these exploits in all but the first-login case.
/K
More information about the JDev
mailing list