On 19 December 2014 at 22:55, Dave Cridland <d...@cridland.net> wrote: > > > On 19 Dec 2014 22:12, "Waqas Hussain" <waqa...@gmail.com> wrote: > > > > On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith <kevin.sm...@isode.com> > wrote: > >> > >> On 19 Dec 2014, at 19:36, Mathieu Pasquet <mathi...@mathieui.net> > wrote: > >> > > >> > On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote: > >> >> On 19 Dec 2014 18:32, "Sam Whited" <s...@samwhited.com> wrote: > >> >>> On 12/19/2014 09:24 AM, Peter Viskup wrote: > >> >>>> Hi all, > >> >>>> thought it would be interesting to the audience of this > mailinglist. > >> >>>> > >> >>>> > http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html > >> >>>> > >> >>>> Best regards, > >> >>>> > >> >>> Another great example of why you should ditch DIGEST-MD5 and store > your > >> >>> passwords as SCRAM bits. > >> >>> > >> >>> —Sam > >> >>> > >> >> It feels like we should do something like the encryption push, but > for > >> >> non-plaintext passwords. > >> > > >> > Do we have any statistics (e.g. on jabber.org) about what proportion > of > >> > clients do not support any other mechanisms than PLAIN and DIGEST-MD5? > >> > (though yes, PLAIN works well with hashed passwords, but should still > be > >> > avoided whenever possible) > >> > > >> > That would be enlightening. > >> > >> While I can’t say anything about clients not supporting stuff, > obviously, clients choosing DIGEST are four times more numerous than > clients choosing SCRAM, six times more numerous than those choosing PLAIN, > and a small number do 78 auth and CRAM-MD5. > >> > >> /K > > > > > > Thanks Kev. How hard would it be to get metrics on clients and client > versions (either overall, or DIGEST-MD5 specific)? > > > > I don't know how many of the digest clients would fall back to plain, but > I suppose we can find that out. > > In any case, I think I could write a component that would watch the logs > and send version requests to the clients as they connect, sorting metrics > in a database. I suspect it's easy enough for anyone to do, given the log > format information. > > > I expect only a handful of clients are likely responsible for 90% of the > user base. Depending on actual metrics, we could conceivably arrange > hackathons, bounties and general evangelism. > > > > Indeed. > > > A bigger issue than getting the code written would be getting the code > deployed. Note, SCRAM-hashed password storage does not require clients to > use SCRAM, as PLAIN is still possible (though expensive). > > > > I know that some smaller (few hundred users) deployments have seen > success with evangelism (just describing the issue and asking users to > upgrade apparently works well). A related issue is users being stuck on > older client versions because of using distro provided packages. > Particularly users who like LTS releases. > > > > I suspect that users might be motivated quite well to encourage the > distros to upgrade clients. The combination of old specification and > plaintext passwords are easy concepts to get across. We have a board full > of technical marketing types, a clear message, and in theory we can use > MOTD based campaigns to ensure the message reaches users. >
A clear message like this, perhaps: http://wiki.xmpp.org/web/Plain_Stupid (Yeah, everything needs a catchy name these days). > > -- > > Waqas Hussain > > >
