On 19 Dec 2014 22:12, "Waqas Hussain" <[email protected]> wrote: > > On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith <[email protected]> wrote: >> >> On 19 Dec 2014, at 19:36, Mathieu Pasquet <[email protected]> wrote: >> > >> > On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote: >> >> On 19 Dec 2014 18:32, "Sam Whited" <[email protected]> wrote: >> >>> On 12/19/2014 09:24 AM, Peter Viskup wrote: >> >>>> Hi all, >> >>>> thought it would be interesting to the audience of this mailinglist. >> >>>> >> >>>> http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html >> >>>> >> >>>> Best regards, >> >>>> >> >>> Another great example of why you should ditch DIGEST-MD5 and store your >> >>> passwords as SCRAM bits. >> >>> >> >>> —Sam >> >>> >> >> It feels like we should do something like the encryption push, but for >> >> non-plaintext passwords. >> > >> > Do we have any statistics (e.g. on jabber.org) about what proportion of >> > clients do not support any other mechanisms than PLAIN and DIGEST-MD5? >> > (though yes, PLAIN works well with hashed passwords, but should still be >> > avoided whenever possible) >> > >> > That would be enlightening. >> >> While I can’t say anything about clients not supporting stuff, obviously, clients choosing DIGEST are four times more numerous than clients choosing SCRAM, six times more numerous than those choosing PLAIN, and a small number do 78 auth and CRAM-MD5. >> >> /K > > > Thanks Kev. How hard would it be to get metrics on clients and client versions (either overall, or DIGEST-MD5 specific)? >
I don't know how many of the digest clients would fall back to plain, but I suppose we can find that out. In any case, I think I could write a component that would watch the logs and send version requests to the clients as they connect, sorting metrics in a database. I suspect it's easy enough for anyone to do, given the log format information. > I expect only a handful of clients are likely responsible for 90% of the user base. Depending on actual metrics, we could conceivably arrange hackathons, bounties and general evangelism. > Indeed. > A bigger issue than getting the code written would be getting the code deployed. Note, SCRAM-hashed password storage does not require clients to use SCRAM, as PLAIN is still possible (though expensive). > > I know that some smaller (few hundred users) deployments have seen success with evangelism (just describing the issue and asking users to upgrade apparently works well). A related issue is users being stuck on older client versions because of using distro provided packages. Particularly users who like LTS releases. > I suspect that users might be motivated quite well to encourage the distros to upgrade clients. The combination of old specification and plaintext passwords are easy concepts to get across. We have a board full of technical marketing types, a clear message, and in theory we can use MOTD based campaigns to ensure the message reaches users. > -- > Waqas Hussain >
