El 19/12/14 a las 22:55, Waqas Hussain escribió:
On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith <[email protected]
<mailto:[email protected]>> wrote:
On 19 Dec 2014, at 19:36, Mathieu Pasquet <[email protected]
<mailto:[email protected]>> wrote:
>
> On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote:
>> On 19 Dec 2014 18:32, "Sam Whited" <[email protected]
<mailto:[email protected]>> wrote:
>>> On 12/19/2014 09:24 AM, Peter Viskup wrote:
>>>> Hi all,
>>>> thought it would be interesting to the audience of this
mailinglist.
>>>>
>>>>
http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
>>>>
>>>> Best regards,
>>>>
>>> Another great example of why you should ditch DIGEST-MD5 and
store your
>>> passwords as SCRAM bits.
>>>
>>> —Sam
>>>
>> It feels like we should do something like the encryption push,
but for
>> non-plaintext passwords.
>
> Do we have any statistics (e.g. on jabber.org
<http://jabber.org>) about what proportion of
> clients do not support any other mechanisms than PLAIN and
DIGEST-MD5?
> (though yes, PLAIN works well with hashed passwords, but should
still be
> avoided whenever possible)
>
> That would be enlightening.
While I can’t say anything about clients not supporting stuff,
obviously, clients choosing DIGEST are four times more numerous
than clients choosing SCRAM, six times more numerous than those
choosing PLAIN, and a small number do 78 auth and CRAM-MD5.
/K
Thanks Kev. How hard would it be to get metrics on clients and client
versions (either overall, or DIGEST-MD5 specific)?
I expect only a handful of clients are likely responsible for 90% of
the user base. Depending on actual metrics, we could conceivably
arrange hackathons, bounties and general evangelism.
A bigger issue than getting the code written would be getting the code
deployed. Note, SCRAM-hashed password storage does not require clients
to use SCRAM, as PLAIN is still possible (though expensive).
I know that some smaller (few hundred users) deployments have seen
success with evangelism (just describing the issue and asking users to
upgrade apparently works well). A related issue is users being stuck
on older client versions because of using distro provided packages.
Particularly users who like LTS releases.
--
Waqas Hussain
Some stats for JabberES.org, with about half of online users than on
peak hours
psi/psi+ 84 (I think that no released version of Psi supports SCRAM,
only Psi+ since 2013)
0.16.xxx - 17 (Psi+)
0.15 - 38
0.14 - 19
0.12 - 2
0.11 - 1
0.10 - 6
0.9.3 - 1
pidgin 82 (SCRAM added in 2.7.6 released in 11/21/2010)
2.10.x - 80
2.7.5 - 1
2.7.1 - 1
gajim 21 (SCRAM added in 0.14 02 September 2010)
0.16 - 4
0.15.x - 8
0.14.x - 3
0.13.x - 3
0.12.x - 3
pandion 4 ( SCRAM added in 2.6.106 22nd April 2010)
2.6.106 - 2
2.5 - 2
miranda 6 (SCRAM added in December 2010)
0.10.24 - 1
0.10.23 - 1
0.10.22 - 2
0.10.18 - 1
0.94.2.3876 - 1 (Miranda NG)
unknown 8 no idea if they support SCRAM
Based on QXmpp - 2
yaxim - 1
jTalk - 1
irssi-xmpp - 1
imagent - 1
Jabify - 1
BayanICQ - 1
bitlbee 6 (no idea if supports SCRAM)
3.2.x - 6
telepathy-gabble 2 (support since 0.9.13)
0.18 - 2
adium 1
1.5.10 (libpurple 2.10.9) - 1
trillian 1 (no idea if supports SCRAM)
