> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Peter Saint-Andre
> Sent: Wednesday, August 24, 2005 4:56 PM
> To: cryptography@metzdowd.com
> Subject: Re: Another entry in the internet security hall of shame....
> 
> 
> Tim Dierks wrote:
> > [resending due to e-mail address / cryptography list 
> membership issue]
> > 
> > On 8/24/05, Ian G <[EMAIL PROTECTED]> wrote:
> > 
> >>Once you've configured iChat to connect to the Google Talk 
> service, you may
> >>receive a warning message that states your username and 
> password will be
> >>transferred insecurely. This error message is incorrect; 
> your username and
> >>password will be safely transferred.
> > 
> > 
> > iChat pops up the warning dialog whenever the password is 
> sent to the
> > server, rather than used in a hash-based authentication protocol.
> > However, it warns even if the password is transmitted over an
> > authenticated SSL connection.
> > 
> > I'll leave it to you to decide if this is:
> >  - an iChat bug
> >  - a Google security problem
> >  - in need of better documentation
> >  - all of the above
> >  - none of the above
> 
> It seems Google is assuming that SASL PLAIN is acceptable once you've 
> completed STARTTLS on port 5222 (or if you've connected via 
> SSL on the 
> old-style port 5223). Decide for yourself if that's "secure" 
> and whether 
> the iChat warning is justified.
> 
> Peter
> 
> -- 
> Peter Saint-Andre
> Jabber Software Foundation
> http://www.jabber.org/people/stpeter.shtml

Ironically, Peter's message above kicked off warning
dialogs from MS Outlook, since it was signed using a keypair
signed with Peter's own self-signed root, which was not in 
MSO's list of trusted
roots.

Self-signed certs are only useful for showing that a given
set of messages are from the same source - they don't provide
any trustworthy information as to the binding of that source
to anything.

Peter Trei
(not digitally signed, and not pretending to be)




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to