-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/16/12 5:48 AM, Kevin Smith wrote: > On Thu, Aug 16, 2012 at 12:36 PM, Pedro Melo > <[email protected]> wrote: >> Hi, >> >> On Thu, Aug 16, 2012 at 11:12 AM, Kevin Smith >> <[email protected]> wrote: >>> On Thu, Aug 16, 2012 at 10:50 AM, Pedro Melo >>> <[email protected]> wrote: >>>> came across this today and I haven't seen it mentioned here: >>>> >>>> http://www.pentestit.com/xmpploit-tool-attack-xmpp-connections/ >>>> >>>> >>>> I haven't tested it yet, and the article is strong on claims and light >>>> on explanations on how it works, so take it with a grain of >>>> salt. >>> >>> The claims they make seem sensible - everyone's known about >>> the possibility of such downgrade attacks since forever - which >>> is why clients generally won't allow both PLAIN and non-TLS at >>> the same time. What clients really need to do is cert pinning >>> and mech pinning to prevent these exploits in all but the >>> first-login case. >> >> Yes. The author as a small demo video screencast of the tool in >> action here: >> >> http://www.ldelgado.es/index.php?dir=aplicaciones/xmpploit >> >> The initial plain-text part of the XMPP handshake will allow a >> MITM attack to downgrade the security. Only cert and mech pinning >> would work here. > > It'll allow it to downgrade to no-TLS, but not to PLAIN, as > clients shouldn't be allowing PLAIN over connections without TLS.
Sure, that's the proper policy for all clients. (I don't see it as "mechanism pinning" so much as client policy.) > But yes, pinning (or something similar) is the right solution to > this. Yes, certificate pinning is a good idea. >> Didn't someone suggested a TXT DNS record for this sometime ago, >> mentioning the required methods and cert sig? > > I don't recall - but for this attack to work you need to have > already compromised either routing or DNS - so in either case it > wouldn't help. True. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAs4dMACgkQNL8k5A2w/vwnNwCdFJFXmlSEVDHQ0H7mtH+7ZZQ5 X28AoNjXinIUjaWNJwswuxLHSg8hLri3 =YUWu -----END PGP SIGNATURE----- _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
