sounds to me very risky in an enviroment where inexpierienced people set up home servers
lovetox
it probably will make the client non-functional for many users because of server misconfigurations
xnamedhas left
lovetox
not sure what the treatmodel is .. to do any shenanigans with sasl someone would need to mitm your tls connection, and then he wants to break scram? why ...
jubalhhas left
xnamedhas joined
kikuchiyohas left
thomaslewishas joined
kikuchiyohas joined
thomaslewishas left
thomaslewishas joined
Sam
Channel binding with the -PLUS variant has anti-downgrade preventions built in, IIRC, so mechanism pinning is less useful there. However, if you're not using the -PLUS variants for whatever reason you need some mechanism to ensure that you can't be downgraded to PLAIN, for example. This is where pinning comes in. It probably has other applications that I haven't thought of, but this was the main one IIRC.
Sam
Generally speaking I feel like it's generally a bad idea to randomly accept that the server is providing lower security mechanisms. The very few inexperienced people who will host their own servers are probably a tiny number of people and aren't worth weakening security for a very unlikely UX problem.
Sam
Especially when it's an easy thing to provide a helpful error message for, so it's not even really a bad UX.
thomaslewishas left
Zash
Although you probably need to account for PLUS with tls-unique going away when going from TLS 1.2 to 1.3 until tls-exporter gets widely deployed...
thomaslewishas joined
Matrix Traveler (bot)has left
homebeachhas left
homebeachhas joined
Matrix Traveler (bot)has joined
xnamedhas left
thomaslewishas left
lovetox
The question was why someone that already has the capabilities of breaking my tls connection, and can read all my traffic, needs to know my password
pulkomandy
Then it can use your password to connect to the real server and impersonate you?
Sam
MITM is hard. Getting a password and connecting yourself from anywhere in the world you want makes it easier to repeatedly do whatever it was you were doing later.
lovetox
downgrade attacke would mean he can inject stanzas into the connection
lovetox
so he can already impersonate me
lovetox
so the whole treatmodel is for that is: "It does not really save you from anything bad, but maybe it makes it harder for the attacker to do it more than once" ?
Sam
Sure, but they can start a new connection whenever if they gave your password. Or log into your email when you reuse passwords.
lovetox
does not really convince me to annoy users and write hundreds of lines of code that can be buggy and fail
thomaslewishas joined
lovetox
how can PLUS variant have downgrade prevention?
lovetox
sounds impossible
Zash
SCRAM has a flag where the client says whether it thinks the server offers PLUS, if it doesn't match expectations on the server it fails
MattJ
In SCRAM the client reports whether it supports channel binding, so the server can fail authentication if it offered PLUS but the client didn't use it (e.g. because the attacker removed it from the mechanism list)
MattJ
That
lovetox
but this does not prevent the case with PLAIN described above by Sam
debaclehas left
MattJ
Correct
lovetox
so is this just about PLAIN? i should not downgrade to PLAIN, but everything else doesnt matter
moparisthebest
Thousands of XMPP developer hours spent on protecting the user password from the server, still no real world use. SCRAM has played us for fools.
MattJ
I think SCRAM is cool. I think channel binding crosses the line into cryptographic overengineering.
moparisthebest
It's awesome and absolutely critical in a world where TLS isn't used
thomaslewishas left
moparisthebest
But for the last decade or so...
Zash
Detecting TLS MITM is kinda cool tho
MattJ
Zash: it is, but......
MattJ
When does TLS MITM happen in reality?
moparisthebest
If the TLS mitm has a valid cert it's good
Zash
In the evil reverse proxies!!!11
MattJ
TLS MITM basically only happens when it's intentional, e.g. corporate networks and such
MattJ
And people still want their chat apps to work
Zash
Evil corporate DPI boxes!
MattJ
But we'll prevent them from connecting and people will blame^Wcheer XMPP from the rooftops
MattJ
But sure, 0.5% of people would prefer it not to work
MattJ
So I'm glad channel binding exists for them 🙂
Martin
> TLS MITM basically only happens when it's intentional, e.g. corporate networks and such
> And people still want their chat apps to work
I don't think you should install your chat app on the company device.
moparisthebest
100% what Martin said
MattJ
Martin: even if it's for work purposes?
moparisthebest
And presumably if you do, you want it to function
thomaslewishas joined
Martin
Then the company IT department should assure it's working.
moparisthebest
And it's a work account so your company already knows the password
MattJ
This whole discussion is about making sure they can't make it work
Zash
Weren't XMPP only used for private chat anyway? 🙂
MattJ
That's what MITM detection does
Zash
The IT department already deployed Matri^W Slack.
Martin
Probably worse. Teams.
Zash
or BOTH
Zash
all while the IT department uses IRC internally
thomaslewishas left
selurveduhas joined
thomaslewishas joined
pep.
"MattJ> TLS MITM basically only happens when it's intentional, e.g. corporate networks and such" or states using valid gmail.com certs. (/me looking at France)
moparisthebest
pep.: What do you mean
pep.
That was some time ago, and they got spotted quickly I assume, I'm looking for the link. This kind of stuff happens anyway, it's not just corporate networks. CA mafia and all.
Zash
https://www.rfc-editor.org/rfc/rfc1925.html#section-2
> It Has To Work.
thomaslewishas left
moparisthebest
DNSSEC is the fix for that
moparisthebest
Well, and other lesser things, cert transparency log, CAA etc
Zash
DNSSEC transparency log when?
thomaslewishas joined
pep.
"Zash> all while the IT department uses IRC internally" redundancy :P
pep.
If Slack fails they still have something that works
Zash
We humans sure do love stating the obvious, don't we 🙂
pep.
I was doing the same with s/IRC/XMPP/
pep.
ssshhh
moparisthebest
IRC is for sure the second best group chat after XMPP, everything else is far worse
pep.
Zash: We humans use weird methods to communicate that don't guarantee the same interpretation :)
'114 works Good Enough, so not much demand I guess
pep.
Not storing credentials on the server for bridges, that's the use-case
larmahas left
MattJ
How does 225 help?
pep.
You'd be able to store that client-side
pep.
A client-side component
Zash
What?
MattJ
How?
Zash
Who?
pep.
Well the thing is that the server still has to have DNS etc. setup :/
pep.
So yeah it's not perfect
pep.
Suggestions welcome
MattJ
Just run over a client connection
MattJ
If it's about a single user
pep.
Multiprotocol client?
moparisthebest
You'd need a way to request a dedicated domain from the server, you could do that pretty easily with wildcards (DNS and cert) but the abuse potential is massive
thomaslewishas left
pep.
MattJ, "run over a client connection", what does that mean
pep.
reuse it?
pep.
Technically the server could spoof the domain, it doesn't need to be declared right
pep.
If it's just over c2s
MattJ
Correct
xnamedhas joined
Mario Sabatinohas left
moparisthebest
So that's just my echo component thing
pep.
Except having a client-side component could echo itself (to all clients). A client-only-thing needs the echo thing
xnamedhas left
Samhas left
techmetx11has left
xnamedhas joined
selurveduhas left
thomaslewishas joined
selurveduhas joined
Samhas joined
TheRealkaranohas left
selurveduhas left
selurveduhas joined
thomaslewishas left
moparisthebest
Right, but server just needs the echo thing, and any clients can use it for whatever protocol they want