[18268] in cryptography@c2.net mail archive
Re: Another entry in the internet security hall of shame....
daemon@ATHENA.MIT.EDU (Alaric Dailey)
Wed Aug 24 21:45:02 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 24 Aug 2005 14:50:38 -0500
From: Alaric Dailey <alaricd@pengdows.com>
To: tim@dierks.org
Cc: Ian G <iang@systemics.com>, John Kelsey <kelsey.j@ix.netcom.com>,
cryptography@metzdowd.com
In-Reply-To: <34061.38.119.128.203.1124905727.squirrel@webmail5.pair.com>
This is a cryptographically signed message in MIME format.
--------------ms010700000803020406020007
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Tim Dierks wrote:
>[resending due to e-mail address / cryptography list membership issue]
>
>On 8/24/05, Ian G <iang@systemics.com> wrote:
>
>
>>Once you've configured iChat to connect to the Google Talk service, you may
>>receive a warning message that states your username and password will be
>>transferred insecurely. This error message is incorrect; your username and
>>password will be safely transferred.
>>
>>
>
>iChat pops up the warning dialog whenever the password is sent to the
>server, rather than used in a hash-based authentication protocol.
>However, it warns even if the password is transmitted over an
>authenticated SSL connection.
>
>I'll leave it to you to decide if this is:
> - an iChat bug
> - a Google security problem
> - in need of better documentation
> - all of the above
> - none of the above
>
> - Tim
>
>
>
>
Judging by the log (captured using Trillian), google talk is using TLS,
thus the Legacy SSL support isn't there, but plain text authentication is ok
[14:23] *** Creating connection "alaricd@gmail.com/Trillian"
[14:23] *** Server supports TLS encryption...
[14:23] *** Negotiating XMPP SSL connection...
[14:23] *** Connection established using EDH-RSA-DES-CBC3-SHA (TLSv1/SSLv3)
[14:24] *** Attempting to authenticate using PLAIN
[14:24] *** Authenticated.
[14:24] *** You have successfully connected to Jabber.
--------------ms010700000803020406020007
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIZzCC
Ao4wggH3oAMCAQICAw1lkjANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQxMTEwMDIzNDQ3WhcNMDUxMTEwMDIzNDQ3
WjBfMQ8wDQYDVQQEEwZEYWlsZXkxDzANBgNVBCoTBkFsYXJpYzEWMBQGA1UEAxMNQWxhcmlj
IERhaWxleTEjMCEGCSqGSIb3DQEJARYUYWxhcmljZEBwZW5nZG93cy5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALkC6hPjX0bQDEENCgWgl5yOSiJiMKh5PA/mPmokeH35lhtc
7FKWTmJOXhk7fBazvBfYyC033+opUxDvtuPbKykGFIhVxZJw2jb0pgpi4/Wfh/R8C4JqE30P
ghwYKocZ+Zhpyk2uDniwGhqMExu8LioHGCcHwNqrBi6PZz4ECxrTAgMBAAGjVTBTMA8GA1Ud
DwEB/wQFAwMH+YAwEQYJYIZIAYb4QgEBBAQDAgWgMB8GA1UdEQQYMBaBFGFsYXJpY2RAcGVu
Z2Rvd3MuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAfKn9c5JYJgSmZR/3
rf+D0jSJ7KzWAk5An2PjAnfgPnvDAkYKYswROaaPvyUkdH5dtNuOdop8hV4F+BJXooL2mb9f
HZutFC5R5hdWaTRRlzVTFnivg03PBeLJ2sVVg+ZCXMVNFrHeIwczaM8wdmYhALJq48870geB
qGpgabiRjIEwggKOMIIB96ADAgECAgMNZZIwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA0MTExMDAyMzQ0N1oXDTA1
MTExMDAyMzQ0N1owXzEPMA0GA1UEBBMGRGFpbGV5MQ8wDQYDVQQqEwZBbGFyaWMxFjAUBgNV
BAMTDUFsYXJpYyBEYWlsZXkxIzAhBgkqhkiG9w0BCQEWFGFsYXJpY2RAcGVuZ2Rvd3MuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5AuoT419G0AxBDQoFoJecjkoiYjCoeTwP
5j5qJHh9+ZYbXOxSlk5iTl4ZO3wWs7wX2MgtN9/qKVMQ77bj2yspBhSIVcWScNo29KYKYuP1
n4f0fAuCahN9D4IcGCqHGfmYacpNrg54sBoajBMbvC4qBxgnB8DaqwYuj2c+BAsa0wIDAQAB
o1UwUzAPBgNVHQ8BAf8EBQMDB/mAMBEGCWCGSAGG+EIBAQQEAwIFoDAfBgNVHREEGDAWgRRh
bGFyaWNkQHBlbmdkb3dzLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAHyp
/XOSWCYEpmUf963/g9I0ieys1gJOQJ9j4wJ34D57wwJGCmLMETmmj78lJHR+XbTbjnaKfIVe
BfgSV6KC9pm/Xx2brRQuUeYXVmk0UZc1UxZ4r4NNzwXiydrFVYPmQlzFTRax3iMHM2jPMHZm
IQCyauPPO9IHgahqYGm4kYyBMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENB
MSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcx
NzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnK
mVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/
cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8
YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4
oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5j
cmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwy
LTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4
Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowg
T2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCArowggK2AgEB
MGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0
ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMNZZIw
CQYFKw4DAhoFAKCCAacwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx
DxcNMDUwODI0MTk1MTIwWjAjBgkqhkiG9w0BCQQxFgQUwlIEHNxc5LDA6nSNzd3+JqR1gjsw
UgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgweAYJKwYBBAGCNxAEMWswaTBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAw1lkjB6BgsqhkiG9w0B
CRACCzFroGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
AgMNZZIwDQYJKoZIhvcNAQEBBQAEgYBiE7so27IrslkTx4LXxWX8NRnlAQvr6hMRhiVqDtKe
GnqEIRfH6lojs5NuoSIw50APhoecjgADQYkSyxQvFXBY1IzyQs6XFWNMFVeWMNVSvTXzcd8z
Jwv1FHgmcLbuBSFoOW7sEdGUl3jkNNL2JmEXa0l+kDYlfb8gLUT2MHNc/wAAAAAAAA==
--------------ms010700000803020406020007--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
