jdev - 2021-10-07

  1. pl0xy

    ok

  2. pl0xy

    hm

  3. MattJ

    Is my understanding correct that with the server-side credentials stored for SCRAM, you would be able to authenticate as the user?

  4. MattJ

    i.e. to any service with the same hashes, salt, etc.

  5. MattJ

    Ah, the RFC does cover this

  6. jonas’

    (same salt is extreeeemeely unlikely j))

  7. jonas’

    (same salt is extreeeemeely unlikely ;))

  8. MattJ

    That's what you think

  9. MattJ

    and no, there's no CVEs coming (I hope)

  10. MattJ

    But if you migrate your data using XEP-0227, the salt is preserved during the migration

  11. Zash

    So what did the RFC say? Isn't what the server keeps supposed to be be only useful for verifying an authentication attempt?

  12. MattJ

    The RFC says it's not enough, but combined with observing an auth attempt from the client, it is

  13. jonas’

    so it's a bit better than plaintext

  14. Sam

    "better" (assuming it remains secure forever and you never have to upgrade your hash)

  15. Zash

    Who was it? Who put 'omemo' as content type?