On 5/3/10 8:05 AM, "Evan Schoenberg, M.D." <[email protected]> wrote:
> Ah. Your problem is not with trying multiple SASL mechs but rather that we > have to use jabber:iq:auth even if SASL fails entirely. Yes. > A long and detailed discussion of this is found at > http://trac.adium.im/ticket/8108 - please see > http://trac.adium.im/ticket/8108#comment:15 and the two following comments, in > particular. This points out a downgrade attack that Adium is currently subject to. Right now, Adium will try to send the server the plaintext password, even if the server doesn't want it. All I have to do as an attacker to get your password is contrive a transient login failure through the mechanisms that the server supports. I agree that this situation is poorly documented in the standards, and even more poorly implemented in the servers (seeing as how few of them send the iq:auth stream feature as XEP-78 requires). The suggested approach of forcing the user to click an "old-style auth" button on this account is probably the best we can do. Note: the default should be the new standard: SASL. -- Joe Hildebrand
