On 3 March 2014 21:47, Waqas Hussain <[email protected]> wrote: > On Mon, Mar 3, 2014 at 3:46 PM, Fedor Brunner <[email protected]> > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > > > Hi all, > > this attack on TLS security may be interesting for XMPP > > https://www.imperialviolet.org/2014/03/03/triplehandshake.html > > https://secure-resumption.com/#further > > > > The attacker could modify tls-unique channel binding and affect > > SCRAM-SHA-1-PLUS authentication method. > > >
Yes, it's interesting, at a first glance. It would, however, only affect clients that do not verify certificates properly (at least at the point of sending SASL stuff). You also need clients and servers that are perfectly happy to see renegotiation, and it's not vastly obvious why XMPP *needs* any renegotiation. So something to be aware of, rather than panic over. Dave.
