[jdev] XMPPloit
Pedro Melo
melo at simplicidade.org
Thu Aug 16 11:36:38 UTC 2012
Hi,
On Thu, Aug 16, 2012 at 11:12 AM, Kevin Smith <kevin at kismith.co.uk> wrote:
> On Thu, Aug 16, 2012 at 10:50 AM, Pedro Melo <melo at simplicidade.org> wrote:
>> came across this today and I haven't seen it mentioned here:
>>
>> http://www.pentestit.com/xmpploit-tool-attack-xmpp-connections/
>>
>> I haven't tested it yet, and the article is strong on claims and light
>> on explanations on how it works, so take it with a grain of salt.
>
> The claims they make seem sensible - everyone's known about the
> possibility of such downgrade attacks since forever - which is why
> clients generally won't allow both PLAIN and non-TLS at the same time.
> What clients really need to do is cert pinning and mech pinning to
> prevent these exploits in all but the first-login case.
Yes. The author as a small demo video screencast of the tool in action here:
http://www.ldelgado.es/index.php?dir=aplicaciones/xmpploit
The initial plain-text part of the XMPP handshake will allow a MITM
attack to downgrade the security. Only cert and mech pinning would
work here.
Didn't someone suggested a TXT DNS record for this sometime ago,
mentioning the required methods and cert sig?
Bye,
--
Pedro Melo
@pedromelo
http://www.simplicidade.org/
http://about.me/melo
xmpp:melo at simplicidade.org
mailto:melo at simplicidade.org
More information about the JDev
mailing list