Re: [Standards] XEP-0156 _xmppconnect is vulnerable to MITM

Sun, 13 Feb 2022 12:54:14 -0800

Thanks you Travis for taking the time to make individual reports for each implementations. I fixed it in xmpp.js 0.13.1 .
If that works for everybody - I'm happy to remove BOSH / and XEP-0156 from XMPP Compliance Suites 2022. 


If someone disagree please come up with a different solution than 
obsoleting XEP-0156 all together .
BOSH without an endpoint discovery mechanism doesn't make sense in a 
compliance suite.




On jeu., févr. 10 2022 at 19:48:47 -0700, Peter Saint-Andre 
<stpe...@stpeter.im> wrote:

Co-author of XEP-0156 here.

Thanks for raising this issue.


I would go even farther and note that DNS TXT records were never a 
great idea for this functionality (they're actively discouraged in 
the DNS community for application-level uses like this).


On 2/9/22 4:29 PM, Travis Burtrum wrote:

Hi all,


The long story short (is outside of DNSSEC) it's impossible to use 
_xmppconnect TXT records to securely connect to BOSH or WebSockets. 
Every client I've been able to find that supported this is 
vulnerable to trivial MITM (Man-In-The-Middle) via DNS spoofing.  
If you have a client that uses it, switch to grabbing host-meta via 
HTTPS per [RFC-7395] immediately, maybe grab a CVE if you wish.



Sonny commented on your PR that "RFC 7395 doesn't define bosh 
lookups"; this might be true but that raises the issue of whether we 
should still recommend BOSH, since it was a pre-websockets workaround 
for long polling.



I propose we litter [XEP-0156] with warnings explaining why it's 
insecure and should never be done, and obsolete it, instead 
referring people to the single host-meta method that [RFC-7395] 
defines, which provides secure delegation when grabbed over HTTPS.


In general, +1 to what you propose.

Peter
_______________________________________________
Standards mailing list
Info: <https://mail.jabber.org/mailman/listinfo/standards>

Unsubscribe: standards-unsubscr...@xmpp.org 
<mailto:standards-unsubscr...@xmpp.org>

_______________________________________________



_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
_______________________________________________






















					Reply via email to