[18269] in cryptography@c2.net mail archive
Re: Another entry in the internet security hall of shame....
daemon@ATHENA.MIT.EDU (Peter Saint-Andre)
Wed Aug 24 21:45:24 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 24 Aug 2005 14:55:40 -0600
From: Peter Saint-Andre <stpeter@jabber.org>
To: cryptography@metzdowd.com
In-Reply-To: <34061.38.119.128.203.1124905727.squirrel@webmail5.pair.com>
This is a cryptographically signed message in MIME format.
--------------ms070202090508020309020504
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Tim Dierks wrote:
> [resending due to e-mail address / cryptography list membership issue]
>
> On 8/24/05, Ian G <iang@systemics.com> wrote:
>
>>Once you've configured iChat to connect to the Google Talk service, you may
>>receive a warning message that states your username and password will be
>>transferred insecurely. This error message is incorrect; your username and
>>password will be safely transferred.
>
>
> iChat pops up the warning dialog whenever the password is sent to the
> server, rather than used in a hash-based authentication protocol.
> However, it warns even if the password is transmitted over an
> authenticated SSL connection.
>
> I'll leave it to you to decide if this is:
> - an iChat bug
> - a Google security problem
> - in need of better documentation
> - all of the above
> - none of the above
It seems Google is assuming that SASL PLAIN is acceptable once you've
completed STARTTLS on port 5222 (or if you've connected via SSL on the
old-style port 5223). Decide for yourself if that's "secure" and whether
the iChat warning is justified.
Peter
--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml
--------------ms070202090508020309020504
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ8jCC
BPUwggLdoAMCAQICAwEjfTANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290IENBMR4w
HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu
ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wNTA1
MTcxNzQ2MDBaFw0wNjA1MTcxNzQ2MDBaMEIxHTAbBgNVBAMTFEouIFBldGVyIFNhaW50LUFu
ZHJlMSEwHwYJKoZIhvcNAQkBFhJzdHBldGVyQGphYmJlci5vcmcwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC6QaezyuQyuya0zB98ew+fDDeO6dbkFE1Td2OrePzTOuSMNHH1
kvpAxpC7m9WtSeeQ874XC9qmPxBurEILQYZrA/IJNUR+kWvJzAJLJK/62xOCOuDuNjLXKv5F
BJEeg/uDpiq6K7yfsLcwg5wkxmIGsajYR+maGDlqV7aJeMuTcRTeNHNIBliwToPlIRvQfJbP
B3D4tCInHxWeg5BmyqXZgpEPdJ1hyoHB+YvA/0YKAb1Fq9Fq2n6ZC0O70ndkx++OXw65kkYi
m6N/dHQ9xjtpOOk6cQu+SKoL2BfU8kBp9bSmIUymn+KqUdwTcge4vFieJ1lWmtMsKUTbLbgh
0P9ZAgMBAAGjgbwwgbkwDAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlv
dXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNB
Y2VydC5vcmcwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNl
cnQub3JnMB0GA1UdEQQWMBSBEnN0cGV0ZXJAamFiYmVyLm9yZzANBgkqhkiG9w0BAQQFAAOC
AgEAk+5v9P2B9Zher5QMtmGRSqg+Dkmd2xMoBjPItsR2FFS6waXf3Hv82n4W//9HzM+zAuKv
a0kzHY9IHCqcpRVBAqKpN6a6VHb6ZmtwKtj38wmLwMUIqnfvEx4AvP8QJHERLRVn8JL801QT
8Nt1y/6LaOKkFiQUZGvP5m6plXHx2DqL2gfAtZ/VSivSTzkJp3XyDnL04TdKFMY6vPvoT1Ub
d48KW+ZA1NE1+h6gxr4jQVUExKeKB25RoxZMXyMqbawnzJZYl2fEkYgQVWVpPZO6NC9u45u4
kyOXNaLjiQwLpCvZj6x87YOQKn1YyiIWXSUFU4ArsaR/BvtVb53IKYE2LE8dPqq/fn1iMCb4
qLesxc+SQWAQB/xiDlVA00eJq+Ulyq4KTFnbARWHgXOqLUo9Uu+GsiK8L6WLf4vr2F8dhDwa
tfw7oGjGmGJd0ZO/Yt3Wp7ytutsM+4I3ewlQyRWsXx6zcSHN43FUFZpCJxrfD1k1t9z/MJy/
d2zx7mjjbjcfTykIi8taC2UwdMBAbpNmH4gh+VnrEPgYHOONwBTqL/dfW0Px5pa0Fv/WU/VQ
gYep9RLmdDYcwR2bn9XLdVDngMHHTr3Z9LNl1VfQnZg2wi2wvfIrrE0gOtJD7dMPl64Un2Tv
L0bvyJrhkiKKdFACad+aOcw1pyWIiDixoYZPJi8wggT1MIIC3aADAgECAgMBI30wDQYJKoZI
hvcNAQEEBQAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNl
cnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcN
AQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMDUwNTE3MTc0NjAwWhcNMDYwNTE3MTc0NjAw
WjBCMR0wGwYDVQQDExRKLiBQZXRlciBTYWludC1BbmRyZTEhMB8GCSqGSIb3DQEJARYSc3Rw
ZXRlckBqYWJiZXIub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAukGns8rk
MrsmtMwffHsPnww3junW5BRNU3djq3j80zrkjDRx9ZL6QMaQu5vVrUnnkPO+Fwvapj8QbqxC
C0GGawPyCTVEfpFrycwCSySv+tsTgjrg7jYy1yr+RQSRHoP7g6Yquiu8n7C3MIOcJMZiBrGo
2Efpmhg5ale2iXjLk3EU3jRzSAZYsE6D5SEb0HyWzwdw+LQiJx8VnoOQZsql2YKRD3SdYcqB
wfmLwP9GCgG9RavRatp+mQtDu9J3ZMfvjl8OuZJGIpujf3R0PcY7aTjpOnELvkiqC9gX1PJA
afW0piFMpp/iqlHcE3IHuLxYnidZVprTLClE2y24IdD/WQIDAQABo4G8MIG5MAwGA1UdEwEB
/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMDIGCCsGAQUFBwEBBCYw
JDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAdBgNVHREEFjAUgRJzdHBl
dGVyQGphYmJlci5vcmcwDQYJKoZIhvcNAQEEBQADggIBAJPub/T9gfWYXq+UDLZhkUqoPg5J
ndsTKAYzyLbEdhRUusGl39x7/Np+Fv//R8zPswLir2tJMx2PSBwqnKUVQQKiqTemulR2+mZr
cCrY9/MJi8DFCKp37xMeALz/ECRxES0VZ/CS/NNUE/Dbdcv+i2jipBYkFGRrz+ZuqZVx8dg6
i9oHwLWf1Uor0k85Cad18g5y9OE3ShTGOrz76E9VG3ePClvmQNTRNfoeoMa+I0FVBMSnigdu
UaMWTF8jKm2sJ8yWWJdnxJGIEFVlaT2TujQvbuObuJMjlzWi44kMC6Qr2Y+sfO2DkCp9WMoi
Fl0lBVOAK7Gkfwb7VW+dyCmBNixPHT6qv359YjAm+Ki3rMXPkkFgEAf8Yg5VQNNHiavlJcqu
CkxZ2wEVh4Fzqi1KPVLvhrIivC+li3+L69hfHYQ8GrX8O6BoxphiXdGTv2Ld1qe8rbrbDPuC
N3sJUMkVrF8es3EhzeNxVBWaQica3w9ZNbfc/zCcv3ds8e5o4243H08pCIvLWgtlMHTAQG6T
Zh+IIflZ6xD4GBzjjcAU6i/3X1tD8eaWtBb/1lP1UIGHqfUS5nQ2HMEdm5/Vy3VQ54DBx069
2fSzZdVX0J2YNsItsL3yK6xNIDrSQ+3TD5euFJ9k7y9G78ia4ZIiinRQAmnfmjnMNacliIg4
saGGTyYvMYIDhzCCA4MCAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0
cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5
MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwEjfTAJBgUrDgMCGgUAoIIB
2zAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNTA4MjQyMDU1
NDBaMCMGCSqGSIb3DQEJBDEWBBRWVpW8w1U5+WdyX3pewTioBmlzGjBSBgkqhkiG9w0BCQ8x
RTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMC
BzANBggqhkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3Qg
Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBT
aWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMB
I30wgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsT
FWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhv
cml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMBI30wDQYJKoZIhvcN
AQEBBQAEggEAPaFoaeuMVNS7zkpsef0/P/TmIxNI+h72B6IIqpRZ6SvxeqjuIpNGkhiez0BK
Vj2XzzCNtaYRNhi7ljjnZa3832P4rp2eUxvnGhSFvAL6h66L+V2aBAG9m2vKxj/GlGOcnuRm
9GImM0vB85W7qdJma0kFmf5SsNSJrqJE3uH4XJDYk979fb2qYwhvxnn8MOWx1TtavaldJ9r7
I19hgdSKNMKXn6kt61xZ84nq4Isc0mKOwrZYhljwLa+MRd5T/vaB4v9Jjx+5vBLbV7xX/BMo
uVKesQ9nx/oREFBEPJHs6kN1jYraMZ7BT3W7ik8eLPyPXYNakwtixtRpHbGXSm6KHgAAAAAA
AA==
--------------ms070202090508020309020504--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
