On Thu, Aug 16, 2012 at 10:50 AM, Pedro Melo <[email protected]> wrote: > Hi, > > came across this today and I haven't seen it mentioned here: > > http://www.pentestit.com/xmpploit-tool-attack-xmpp-connections/ > > I haven't tested it yet, and the article is strong on claims and light > on explanations on how it works, so take it with a grain of salt.
The claims they make seem sensible - everyone's known about the possibility of such downgrade attacks since forever - which is why clients generally won't allow both PLAIN and non-TLS at the same time. What clients really need to do is cert pinning and mech pinning to prevent these exploits in all but the first-login case. /K _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
