-
pl0xy
ok
-
pl0xy
hm
-
MattJ
Is my understanding correct that with the server-side credentials stored for SCRAM, you would be able to authenticate as the user?
-
MattJ
i.e. to any service with the same hashes, salt, etc.
-
MattJ
Ah, the RFC does cover this
-
jonas’
(same salt is extreeeemeely unlikely j))✎ -
jonas’
(same salt is extreeeemeely unlikely ;)) ✏
-
MattJ
That's what you think
-
MattJ
and no, there's no CVEs coming (I hope)
-
MattJ
But if you migrate your data using XEP-0227, the salt is preserved during the migration
-
Zash
So what did the RFC say? Isn't what the server keeps supposed to be be only useful for verifying an authentication attempt?
-
MattJ
The RFC says it's not enough, but combined with observing an auth attempt from the client, it is
-
jonas’
so it's a bit better than plaintext
-
Sam
"better" (assuming it remains secure forever and you never have to upgrade your hash)
-
Zash
Who was it? Who put 'omemo' as content type?