[18271] in cryptography@c2.net mail archive
RE: Another entry in the internet security hall of shame....
daemon@ATHENA.MIT.EDU (Trei, Peter)
Thu Aug 25 16:12:43 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 25 Aug 2005 09:42:47 -0400
From: "Trei, Peter" <ptrei@rsasecurity.com>
To: "Peter Saint-Andre" <stpeter@jabber.org>,
<cryptography@metzdowd.com>
> -----Original Message-----
> From: owner-cryptography@metzdowd.com
> [mailto:owner-cryptography@metzdowd.com]On Behalf Of Peter Saint-Andre
> Sent: Wednesday, August 24, 2005 4:56 PM
> To: cryptography@metzdowd.com
> Subject: Re: Another entry in the internet security hall of shame....
>=20
>=20
> Tim Dierks wrote:
> > [resending due to e-mail address / cryptography list=20
> membership issue]
> >=20
> > On 8/24/05, Ian G <iang@systemics.com> wrote:
> >=20
> >>Once you've configured iChat to connect to the Google Talk=20
> service, you may
> >>receive a warning message that states your username and=20
> password will be
> >>transferred insecurely. This error message is incorrect;=20
> your username and
> >>password will be safely transferred.
> >=20
> >=20
> > iChat pops up the warning dialog whenever the password is=20
> sent to the
> > server, rather than used in a hash-based authentication protocol.
> > However, it warns even if the password is transmitted over an
> > authenticated SSL connection.
> >=20
> > I'll leave it to you to decide if this is:
> > - an iChat bug
> > - a Google security problem
> > - in need of better documentation
> > - all of the above
> > - none of the above
>=20
> It seems Google is assuming that SASL PLAIN is acceptable once you've=20
> completed STARTTLS on port 5222 (or if you've connected via=20
> SSL on the=20
> old-style port 5223). Decide for yourself if that's "secure"=20
> and whether=20
> the iChat warning is justified.
>=20
> Peter
>=20
> --=20
> Peter Saint-Andre
> Jabber Software Foundation
> http://www.jabber.org/people/stpeter.shtml
Ironically, Peter's message above kicked off warning
dialogs from MS Outlook, since it was signed using a keypair
signed with Peter's own self-signed root, which was not in=20
MSO's list of trusted
roots.
Self-signed certs are only useful for showing that a given
set of messages are from the same source - they don't provide
any trustworthy information as to the binding of that source
to anything.
Peter Trei
(not digitally signed, and not pretending to be)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
