On 5/3/10 2:52 PM, "Paul Aurich" <[email protected]> wrote:
> Maybe I'm missing something, but couldn't an attacker just swap out all > the advertised mechanisms for PLAIN and get a plaintext password the > same way? Yes. Good point. TLS with good certs FTW. > FWIW, even though libpurple was/is in violation of XEP-78, the server's > response could be better, too: > > "If the server does not support non-SASL authentication (e.g., because > it supports only SASL authentication as defined in RFC 3920), it MUST > return a <service-unavailable/> error. If the client previously > attempted SASL authentication but that attempt failed, the server MUST > return a <policy-violation/> stream error (see RFC 3920 regarding stream > error syntax)." +1, but that's difficult in this server, since the XEP-78 code isn't even loaded, and having code loaded just to send this error will be difficult for me to get into production. -- Joe Hildebrand
