Re: Another entry in the internet security hall of shame....
Tim Dierks wrote: [resending due to e-mail address / cryptography list membership issue] On 8/24/05, Ian G <[EMAIL PROTECTED]> wrote: Once you've configured iChat to connect to the Google Talk service, you may receive a warning message that states your username and password will be transferred insecurely. This error message is incorrect; your username and password will be safely transferred. iChat pops up the warning dialog whenever the password is sent to the server, rather than used in a hash-based authentication protocol. However, it warns even if the password is transmitted over an authenticated SSL connection. I'll leave it to you to decide if this is: - an iChat bug - a Google security problem - in need of better documentation - all of the above - none of the above It seems Google is assuming that SASL PLAIN is acceptable once you've completed STARTTLS on port 5222 (or if you've connected via SSL on the old-style port 5223). Decide for yourself if that's "secure" and whether the iChat warning is justified. Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml smime.p7s Description: S/MIME Cryptographic Signature
Re: Another entry in the internet security hall of shame....
Tim Dierks wrote: >[resending due to e-mail address / cryptography list membership issue] > >On 8/24/05, Ian G <[EMAIL PROTECTED]> wrote: > > >>Once you've configured iChat to connect to the Google Talk service, you may >>receive a warning message that states your username and password will be >>transferred insecurely. This error message is incorrect; your username and >>password will be safely transferred. >> >> > >iChat pops up the warning dialog whenever the password is sent to the >server, rather than used in a hash-based authentication protocol. >However, it warns even if the password is transmitted over an >authenticated SSL connection. > >I'll leave it to you to decide if this is: > - an iChat bug > - a Google security problem > - in need of better documentation > - all of the above > - none of the above > > - Tim > > > > Judging by the log (captured using Trillian), google talk is using TLS, thus the Legacy SSL support isn't there, but plain text authentication is ok [14:23] *** Creating connection "[EMAIL PROTECTED]/Trillian" [14:23] *** Server supports TLS encryption... [14:23] *** Negotiating XMPP SSL connection... [14:23] *** Connection established using EDH-RSA-DES-CBC3-SHA (TLSv1/SSLv3) [14:24] *** Attempting to authenticate using PLAIN [14:24] *** Authenticated. [14:24] *** You have successfully connected to Jabber. smime.p7s Description: S/MIME Cryptographic Signature
Re: Another entry in the internet security hall of shame....
[resending due to e-mail address / cryptography list membership issue] On 8/24/05, Ian G <[EMAIL PROTECTED]> wrote: > Once you've configured iChat to connect to the Google Talk service, you may > receive a warning message that states your username and password will be > transferred insecurely. This error message is incorrect; your username and > password will be safely transferred. iChat pops up the warning dialog whenever the password is sent to the server, rather than used in a hash-based authentication protocol. However, it warns even if the password is transmitted over an authenticated SSL connection. I'll leave it to you to decide if this is: - an iChat bug - a Google security problem - in need of better documentation - all of the above - none of the above - Tim - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Another entry in the internet security hall of shame....
Quoting Ian G <[EMAIL PROTECTED]>: > Once you've configured iChat to connect to the Google Talk service, you may > receive a warning message that states your username and password will be > transferred insecurely. This error message is incorrect; your username and > password will be safely transferred. > -=-=- > > hmm Also noted in Psi. Google's instructions for Psi say to leave "Use SSL encryption" and "Allow Plaintext Login" unchecked, but both need to be checked for me to successfully login. I'm guessing Google is counting on the SSL tunnel to protect the plaintext logins. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not "It's just this little chromium switch, here." - TFT SpamAssassin->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Another entry in the internet security hall of shame....
In another routine event in the adventure known as getting security to work in spite of the security, I just received this ... [fwd] When creating a google talk compatible IM personality in Apple's iChat you get the following warning on the Google Help pages: -=-=- 12. Check the boxes next to 'Connect using SSL' and 'Allow self-signed certificates.' You don't need to check the box next to 'Warn before password is sent insecurely' -- your password is always secure with Google Talk. Congratulations! You are now ready to connect to the Google Talk service using iChat. Once you've configured iChat to connect to the Google Talk service, you may receive a warning message that states your username and password will be transferred insecurely. This error message is incorrect; your username and password will be safely transferred. -=-=- hmm - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]