> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Peter Saint-Andre > Sent: Wednesday, August 24, 2005 4:56 PM > To: cryptography@metzdowd.com > Subject: Re: Another entry in the internet security hall of shame.... > > > Tim Dierks wrote: > > [resending due to e-mail address / cryptography list > membership issue] > > > > On 8/24/05, Ian G <[EMAIL PROTECTED]> wrote: > > > >>Once you've configured iChat to connect to the Google Talk > service, you may > >>receive a warning message that states your username and > password will be > >>transferred insecurely. This error message is incorrect; > your username and > >>password will be safely transferred. > > > > > > iChat pops up the warning dialog whenever the password is > sent to the > > server, rather than used in a hash-based authentication protocol. > > However, it warns even if the password is transmitted over an > > authenticated SSL connection. > > > > I'll leave it to you to decide if this is: > > - an iChat bug > > - a Google security problem > > - in need of better documentation > > - all of the above > > - none of the above > > It seems Google is assuming that SASL PLAIN is acceptable once you've > completed STARTTLS on port 5222 (or if you've connected via > SSL on the > old-style port 5223). Decide for yourself if that's "secure" > and whether > the iChat warning is justified. > > Peter > > -- > Peter Saint-Andre > Jabber Software Foundation > http://www.jabber.org/people/stpeter.shtml
Ironically, Peter's message above kicked off warning dialogs from MS Outlook, since it was signed using a keypair signed with Peter's own self-signed root, which was not in MSO's list of trusted roots. Self-signed certs are only useful for showing that a given set of messages are from the same source - they don't provide any trustworthy information as to the binding of that source to anything. Peter Trei (not digitally signed, and not pretending to be) --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
