Tim Dierks wrote:
[resending due to e-mail address / cryptography list membership issue]
On 8/24/05, Ian G <[EMAIL PROTECTED]> wrote:
Once you've configured iChat to connect to the Google Talk service, you may
receive a warning message that states your username and password will be
transferred insecurely. This error message is incorrect; your username and
password will be safely transferred.
iChat pops up the warning dialog whenever the password is sent to the
server, rather than used in a hash-based authentication protocol.
However, it warns even if the password is transmitted over an
authenticated SSL connection.
I'll leave it to you to decide if this is:
- an iChat bug
- a Google security problem
- in need of better documentation
- all of the above
- none of the above
none of the above. Using SSL is the wrong tool
for the job. It's a chat message - it should be
encrypted end to end, using either OpenPGP or
something like OTR. And even then, you've only
covered about 10% of the threat model - the
server.
But, if people do use the wrong tool for the
job, they will strike these issues...
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]