Hi, On Thu, Aug 16, 2012 at 11:12 AM, Kevin Smith <[email protected]> wrote: > On Thu, Aug 16, 2012 at 10:50 AM, Pedro Melo <[email protected]> wrote: >> came across this today and I haven't seen it mentioned here: >> >> http://www.pentestit.com/xmpploit-tool-attack-xmpp-connections/ >> >> I haven't tested it yet, and the article is strong on claims and light >> on explanations on how it works, so take it with a grain of salt. > > The claims they make seem sensible - everyone's known about the > possibility of such downgrade attacks since forever - which is why > clients generally won't allow both PLAIN and non-TLS at the same time. > What clients really need to do is cert pinning and mech pinning to > prevent these exploits in all but the first-login case.
Yes. The author as a small demo video screencast of the tool in action here: http://www.ldelgado.es/index.php?dir=aplicaciones/xmpploit The initial plain-text part of the XMPP handshake will allow a MITM attack to downgrade the security. Only cert and mech pinning would work here. Didn't someone suggested a TXT DNS record for this sometime ago, mentioning the required methods and cert sig? Bye, -- Pedro Melo @pedromelo http://www.simplicidade.org/ http://about.me/melo xmpp:[email protected] mailto:[email protected] _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
