On Thu, Aug 16, 2012 at 12:36 PM, Pedro Melo <[email protected]> wrote: > Hi, > > On Thu, Aug 16, 2012 at 11:12 AM, Kevin Smith <[email protected]> wrote: >> On Thu, Aug 16, 2012 at 10:50 AM, Pedro Melo <[email protected]> wrote: >>> came across this today and I haven't seen it mentioned here: >>> >>> http://www.pentestit.com/xmpploit-tool-attack-xmpp-connections/ >>> >>> I haven't tested it yet, and the article is strong on claims and light >>> on explanations on how it works, so take it with a grain of salt. >> >> The claims they make seem sensible - everyone's known about the >> possibility of such downgrade attacks since forever - which is why >> clients generally won't allow both PLAIN and non-TLS at the same time. >> What clients really need to do is cert pinning and mech pinning to >> prevent these exploits in all but the first-login case. > > Yes. The author as a small demo video screencast of the tool in action here: > > http://www.ldelgado.es/index.php?dir=aplicaciones/xmpploit > > The initial plain-text part of the XMPP handshake will allow a MITM > attack to downgrade the security. Only cert and mech pinning would > work here.
It'll allow it to downgrade to no-TLS, but not to PLAIN, as clients shouldn't be allowing PLAIN over connections without TLS. But yes, pinning (or something similar) is the right solution to this. > Didn't someone suggested a TXT DNS record for this sometime ago, > mentioning the required methods and cert sig? I don't recall - but for this attack to work you need to have already compromised either routing or DNS - so in either case it wouldn't help. /K _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
