On 3 mrt. 2014, at 22:35, Dave Cridland <[email protected]> wrote: > > > > On 3 March 2014 21:47, Waqas Hussain <[email protected]> wrote: > On Mon, Mar 3, 2014 at 3:46 PM, Fedor Brunner <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > > > Hi all, > > this attack on TLS security may be interesting for XMPP > > https://www.imperialviolet.org/2014/03/03/triplehandshake.html > > https://secure-resumption.com/#further > > > > The attacker could modify tls-unique channel binding and affect > > SCRAM-SHA-1-PLUS authentication method. > > > > > Yes, it's interesting, at a first glance. > > It would, however, only affect clients that do not verify certificates > properly (at least at the point of sending SASL stuff). > > You also need clients and servers that are perfectly happy to see > renegotiation, and it's not vastly obvious why XMPP *needs* any renegotiation. > > So something to be aware of, rather than panic over. > > Dave.
I disagree, there are good reasons to allow renegotiation on XMPP (for example: hiding client-side certificates). Resumption, on the other hand, I don’t see quite as useful for XMPP, due to StartTLS. Resumption is vital to this attack. From my very limited testing with a handful of servers and `openssl s_client`, it seems most servers allow renegotiation. Servers running Prosody/ejabberd did not allow resumption, but jabber.org (M-Link) does. However, it seems the XMPP layer is treating any resumption as if it were a new connection. Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
