Re: Another entry in the internet security hall of shame....

2005-08-24 Thread Ian G

In another routine event in the adventure known as
getting security to work in spite of the security,
I just received this ...

[fwd]

When creating a google talk compatible IM personality in Apple's iChat you
get the following warning on the Google Help pages:
-=-=-
12. Check the boxes next to 'Connect using SSL' and 'Allow self-signed
certificates.' You don't need to check the box next to 'Warn before
password is sent insecurely' -- your password is always secure with Google
Talk.

Congratulations! You are now ready to connect to the Google Talk service
using iChat.

Once you've configured iChat to connect to the Google Talk service, you may
receive a warning message that states your username and password will be
transferred insecurely. This error message is incorrect; your username and
password will be safely transferred.
-=-=-

hmm

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Another entry in the internet security hall of shame....

2005-08-24 Thread Roy M. Silvernail
Quoting Ian G [EMAIL PROTECTED]:

 Once you've configured iChat to connect to the Google Talk service, you may
 receive a warning message that states your username and password will be
 transferred insecurely. This error message is incorrect; your username and
 password will be safely transferred.
 -=-=-

 hmm

Also noted in Psi.  Google's instructions for Psi say to leave Use SSL
encryption and Allow Plaintext Login unchecked, but both need to be checked
for me to successfully login.  I'm guessing Google is counting on the SSL
tunnel to protect the plaintext logins.
-- 
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
It's just this little chromium switch, here. - TFT
SpamAssassin-procmail-/dev/null-bliss
http://www.rant-central.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Another entry in the internet security hall of shame....

2005-08-24 Thread Tim Dierks
[resending due to e-mail address / cryptography list membership issue]

On 8/24/05, Ian G [EMAIL PROTECTED] wrote:
 Once you've configured iChat to connect to the Google Talk service, you may
 receive a warning message that states your username and password will be
 transferred insecurely. This error message is incorrect; your username and
 password will be safely transferred.

iChat pops up the warning dialog whenever the password is sent to the
server, rather than used in a hash-based authentication protocol.
However, it warns even if the password is transmitted over an
authenticated SSL connection.

I'll leave it to you to decide if this is:
 - an iChat bug
 - a Google security problem
 - in need of better documentation
 - all of the above
 - none of the above

 - Tim



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Another entry in the internet security hall of shame....

2005-08-24 Thread Alaric Dailey
Tim Dierks wrote:

[resending due to e-mail address / cryptography list membership issue]

On 8/24/05, Ian G [EMAIL PROTECTED] wrote:
  

Once you've configured iChat to connect to the Google Talk service, you may
receive a warning message that states your username and password will be
transferred insecurely. This error message is incorrect; your username and
password will be safely transferred.



iChat pops up the warning dialog whenever the password is sent to the
server, rather than used in a hash-based authentication protocol.
However, it warns even if the password is transmitted over an
authenticated SSL connection.

I'll leave it to you to decide if this is:
 - an iChat bug
 - a Google security problem
 - in need of better documentation
 - all of the above
 - none of the above

 - Tim


  


Judging by the log (captured using Trillian), google talk is using TLS, 
thus the Legacy SSL support isn't there, but plain text authentication is ok

[14:23] *** Creating connection [EMAIL PROTECTED]/Trillian
[14:23] *** Server supports TLS encryption...
[14:23] *** Negotiating XMPP SSL connection...
[14:23] *** Connection established using EDH-RSA-DES-CBC3-SHA (TLSv1/SSLv3)
[14:24] *** Attempting to authenticate using PLAIN
[14:24] *** Authenticated.
[14:24] *** You have successfully connected to Jabber.


smime.p7s
Description: S/MIME Cryptographic Signature


Re: Another entry in the internet security hall of shame....

2005-08-24 Thread Peter Saint-Andre

Tim Dierks wrote:

[resending due to e-mail address / cryptography list membership issue]

On 8/24/05, Ian G [EMAIL PROTECTED] wrote:


Once you've configured iChat to connect to the Google Talk service, you may
receive a warning message that states your username and password will be
transferred insecurely. This error message is incorrect; your username and
password will be safely transferred.



iChat pops up the warning dialog whenever the password is sent to the
server, rather than used in a hash-based authentication protocol.
However, it warns even if the password is transmitted over an
authenticated SSL connection.

I'll leave it to you to decide if this is:
 - an iChat bug
 - a Google security problem
 - in need of better documentation
 - all of the above
 - none of the above


It seems Google is assuming that SASL PLAIN is acceptable once you've 
completed STARTTLS on port 5222 (or if you've connected via SSL on the 
old-style port 5223). Decide for yourself if that's secure and whether 
the iChat warning is justified.


Peter

--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml


smime.p7s
Description: S/MIME Cryptographic Signature