[18277] in cryptography@c2.net mail archive
Re: Another entry in the internet security hall of shame....
daemon@ATHENA.MIT.EDU (Ian G)
Thu Aug 25 16:58:49 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 25 Aug 2005 21:55:06 +0100
From: Ian G <iang@systemics.com>
To: tim@dierks.org
Cc: John Kelsey <kelsey.j@ix.netcom.com>, cryptography@metzdowd.com
In-Reply-To: <34061.38.119.128.203.1124905727.squirrel@webmail5.pair.com>
Tim Dierks wrote:
> [resending due to e-mail address / cryptography list membership issue]
>
> On 8/24/05, Ian G <iang@systemics.com> wrote:
>
>>Once you've configured iChat to connect to the Google Talk service, you may
>>receive a warning message that states your username and password will be
>>transferred insecurely. This error message is incorrect; your username and
>>password will be safely transferred.
>
>
> iChat pops up the warning dialog whenever the password is sent to the
> server, rather than used in a hash-based authentication protocol.
> However, it warns even if the password is transmitted over an
> authenticated SSL connection.
>
> I'll leave it to you to decide if this is:
> - an iChat bug
> - a Google security problem
> - in need of better documentation
> - all of the above
> - none of the above
none of the above. Using SSL is the wrong tool
for the job. It's a chat message - it should be
encrypted end to end, using either OpenPGP or
something like OTR. And even then, you've only
covered about 10% of the threat model - the
server.
But, if people do use the wrong tool for the
job, they will strike these issues...
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
