Re: [Operators] Suspicion of Jabbim services being hacked

Hi, please remove my e-mail from the mailing list. It was a mistake for I subscribed. Cheers On Dec 29, 2014 6:41 PM, "Mathias Ertl" wrote: > Hi, > > On 12/19/2014 08:36 PM, Mathieu Pasquet wrote: > > Do we have any statistics (e.g. on jabber.org) about what proportion of > > clients do not suppo

Re: [Operators] Suspicion of Jabbim services being hacked

Hi, On 12/19/2014 08:36 PM, Mathieu Pasquet wrote: > Do we have any statistics (e.g. on jabber.org) about what proportion of > clients do not support any other mechanisms than PLAIN and DIGEST-MD5? > (though yes, PLAIN works well with hashed passwords, but should still be > avoided whenever possib

Re: [Operators] Suspicion of Jabbim services being hacked

On 20.12.2014 16:08, Kim Alvefur wrote: > Collection was done with two plugins, mod_log_sasl_auth and > mod_query_client_ver, both available from > https://code.google.com/p/prosody-modules/ > Thanks for the hint. I suppose the name of the first plugin is "mod_log_sasl_mech". -- casper // systemli

Re: [Operators] Suspicion of Jabbim services being hacked

On 12/20/2014 04:15 AM, Phil Pennock wrote: > Probably because the Triple Handshakes Considered Harmful paper from > earlier this year showed that using only the final message for channel > binding was broken and vulnerable, so there are IETF drafts for fixes to > TLS to provide something which a

Re: [Operators] Suspicion of Jabbim services being hacked

SASL mechanism and client stats from the last two weeks on a small site I run: 87% PLAIN 10% SCRAM-SHA-1 3% SCRAM-SHA-1-PLUS 43% Pidgin version 2.10.9 (libpurple 2.10.9) 22% Adium version 1.5.10 (libpurple 2.10.9) 21% Gajim version 0.15.4 7% Jitsi version 2.2.4603.9615 3% Jitsi version

Re: [Operators] Suspicion of Jabbim services being hacked

El 19/12/14 a las 22:55, Waqas Hussain escribió: On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith > wrote: On 19 Dec 2014, at 19:36, Mathieu Pasquet mailto:mathi...@mathieui.net>> wrote: > > On Fri, Dec 19, 2014 at 06:48:44PM +, Dave Cridland wrote:

Re: [Operators] Suspicion of Jabbim services being hacked

On 2014-12-19 at 21:43 -0500, Sam Whited wrote: > Sounds good; step two is to convince TLS stack maintainers to actually > give us access to the client final message so we can do `tls-uniqe' > channel binding without resorting to bundling our own TLS stacks > (seriously; everything uses tls-unique

Re: [Operators] Suspicion of Jabbim services being hacked

On 12/19/2014 06:22 PM, Dave Cridland wrote: > A clear message like this, perhaps: > > http://wiki.xmpp.org/web/Plain_Stupid > > (Yeah, everything needs a catchy name these days). Sounds good; step two is to convince TLS stack maintainers to actually give us access to the client final message

Re: [Operators] Suspicion of Jabbim services being hacked

On 19 December 2014 at 22:55, Dave Cridland wrote: > > > On 19 Dec 2014 22:12, "Waqas Hussain" wrote: > > > > On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith > wrote: > >> > >> On 19 Dec 2014, at 19:36, Mathieu Pasquet > wrote: > >> > > >> > On Fri, Dec 19, 2014 at 06:48:44PM +, Dave Cridland

Re: [Operators] Suspicion of Jabbim services being hacked

On 19 Dec 2014 22:12, "Waqas Hussain" wrote: > > On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith wrote: >> >> On 19 Dec 2014, at 19:36, Mathieu Pasquet wrote: >> > >> > On Fri, Dec 19, 2014 at 06:48:44PM +, Dave Cridland wrote: >> >> On 19 Dec 2014 18:32, "Sam Whited" wrote: >> >>> On 12/19/20

Re: [Operators] Suspicion of Jabbim services being hacked

On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith wrote: > > On 19 Dec 2014, at 19:36, Mathieu Pasquet wrote: > > > > On Fri, Dec 19, 2014 at 06:48:44PM +, Dave Cridland wrote: > >> On 19 Dec 2014 18:32, "Sam Whited" wrote: > >>> On 12/19/2014 09:24 AM, Peter Viskup wrote: > Hi all, > t

Re: [Operators] Suspicion of Jabbim services being hacked

On 19 December 2014 at 20:18, Kevin Smith wrote: > > On 19 Dec 2014, at 19:36, Mathieu Pasquet wrote: > > > > On Fri, Dec 19, 2014 at 06:48:44PM +, Dave Cridland wrote: > >> On 19 Dec 2014 18:32, "Sam Whited" wrote: > >>> On 12/19/2014 09:24 AM, Peter Viskup wrote: > Hi all, > thou

Re: [Operators] Suspicion of Jabbim services being hacked

On 19 Dec 2014, at 19:36, Mathieu Pasquet wrote: > > On Fri, Dec 19, 2014 at 06:48:44PM +, Dave Cridland wrote: >> On 19 Dec 2014 18:32, "Sam Whited" wrote: >>> On 12/19/2014 09:24 AM, Peter Viskup wrote: Hi all, thought it would be interesting to the audience of this mailinglist.

Re: [Operators] Suspicion of Jabbim services being hacked

On Fri, Dec 19, 2014 at 06:48:44PM +, Dave Cridland wrote: > On 19 Dec 2014 18:32, "Sam Whited" wrote: > > On 12/19/2014 09:24 AM, Peter Viskup wrote: > > > Hi all, > > > thought it would be interesting to the audience of this mailinglist. > > > > > > http://pinky.jabb.im/2014/12/jabbim-bezpec

Re: [Operators] Suspicion of Jabbim services being hacked

It feels like we should do something like the encryption push, but for non-plaintext passwords. On 19 Dec 2014 18:32, "Sam Whited" wrote: > Another great example of why you should ditch DIGEST-MD5 and store your > passwords as SCRAM bits. > > —Sam > > On 12/19/2014 09:24 AM, Peter Viskup wrote: >

Re: [Operators] Suspicion of Jabbim services being hacked

Another great example of why you should ditch DIGEST-MD5 and store your passwords as SCRAM bits. —Sam On 12/19/2014 09:24 AM, Peter Viskup wrote: > Hi all, > thought it would be interesting to the audience of this mailinglist. > > http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security

[Operators] Suspicion of Jabbim services being hacked

Hi all, thought it would be interesting to the audience of this mailinglist. http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html Best regards, -- Peter Viskup