-
lovetox
does anyone implement that sasl method pinning
-
lovetox
sounds to me very risky in an enviroment where inexpierienced people set up home servers
-
lovetox
it probably will make the client non-functional for many users because of server misconfigurations
-
lovetox
not sure what the treatmodel is .. to do any shenanigans with sasl someone would need to mitm your tls connection, and then he wants to break scram? why ...
-
Sam
Channel binding with the -PLUS variant has anti-downgrade preventions built in, IIRC, so mechanism pinning is less useful there. However, if you're not using the -PLUS variants for whatever reason you need some mechanism to ensure that you can't be downgraded to PLAIN, for example. This is where pinning comes in. It probably has other applications that I haven't thought of, but this was the main one IIRC.
-
Sam
Generally speaking I feel like it's generally a bad idea to randomly accept that the server is providing lower security mechanisms. The very few inexperienced people who will host their own servers are probably a tiny number of people and aren't worth weakening security for a very unlikely UX problem.
-
Sam
Especially when it's an easy thing to provide a helpful error message for, so it's not even really a bad UX.
-
Zash
Although you probably need to account for PLUS with tls-unique going away when going from TLS 1.2 to 1.3 until tls-exporter gets widely deployed...
-
lovetox
The question was why someone that already has the capabilities of breaking my tls connection, and can read all my traffic, needs to know my password
-
pulkomandy
Then it can use your password to connect to the real server and impersonate you?
-
Sam
MITM is hard. Getting a password and connecting yourself from anywhere in the world you want makes it easier to repeatedly do whatever it was you were doing later.
-
lovetox
downgrade attacke would mean he can inject stanzas into the connection
-
lovetox
so he can already impersonate me
-
lovetox
so the whole treatmodel is for that is: "It does not really save you from anything bad, but maybe it makes it harder for the attacker to do it more than once" ?
-
Sam
Sure, but they can start a new connection whenever if they gave your password. Or log into your email when you reuse passwords.
-
lovetox
does not really convince me to annoy users and write hundreds of lines of code that can be buggy and fail
-
lovetox
how can PLUS variant have downgrade prevention?
-
lovetox
sounds impossible
-
Zash
SCRAM has a flag where the client says whether it thinks the server offers PLUS, if it doesn't match expectations on the server it fails
-
MattJ
In SCRAM the client reports whether it supports channel binding, so the server can fail authentication if it offered PLUS but the client didn't use it (e.g. because the attacker removed it from the mechanism list)
-
MattJ
That
-
lovetox
but this does not prevent the case with PLAIN described above by Sam
-
MattJ
Correct
-
lovetox
so is this just about PLAIN? i should not downgrade to PLAIN, but everything else doesnt matter
-
moparisthebest
Thousands of XMPP developer hours spent on protecting the user password from the server, still no real world use. SCRAM has played us for fools.
-
MattJ
I think SCRAM is cool. I think channel binding crosses the line into cryptographic overengineering.
-
moparisthebest
It's awesome and absolutely critical in a world where TLS isn't used
-
moparisthebest
But for the last decade or so...
-
Zash
Detecting TLS MITM is kinda cool tho
-
MattJ
Zash: it is, but......
-
MattJ
When does TLS MITM happen in reality?
-
moparisthebest
If the TLS mitm has a valid cert it's good
-
Zash
In the evil reverse proxies!!!11
-
MattJ
TLS MITM basically only happens when it's intentional, e.g. corporate networks and such
-
MattJ
And people still want their chat apps to work
-
Zash
Evil corporate DPI boxes!
-
MattJ
But we'll prevent them from connecting and people will blame^Wcheer XMPP from the rooftops
-
MattJ
But sure, 0.5% of people would prefer it not to work
-
MattJ
So I'm glad channel binding exists for them 🙂
-
Martin
> TLS MITM basically only happens when it's intentional, e.g. corporate networks and such > And people still want their chat apps to work I don't think you should install your chat app on the company device.
-
moparisthebest
100% what Martin said
-
MattJ
Martin: even if it's for work purposes?
-
moparisthebest
And presumably if you do, you want it to function
-
Martin
Then the company IT department should assure it's working.
-
moparisthebest
And it's a work account so your company already knows the password
-
MattJ
This whole discussion is about making sure they can't make it work
-
Zash
Weren't XMPP only used for private chat anyway? 🙂
-
MattJ
That's what MITM detection does
-
Zash
The IT department already deployed Matri^W Slack.
-
Martin
Probably worse. Teams.
-
Zash
or BOTH
-
Zash
all while the IT department uses IRC internally
-
pep.
"MattJ> TLS MITM basically only happens when it's intentional, e.g. corporate networks and such" or states using valid gmail.com certs. (/me looking at France)
-
moparisthebest
pep.: What do you mean
-
pep.
That was some time ago, and they got spotted quickly I assume, I'm looking for the link. This kind of stuff happens anyway, it's not just corporate networks. CA mafia and all.
-
Zash
https://www.rfc-editor.org/rfc/rfc1925.html#section-2 > It Has To Work.
-
moparisthebest
DNSSEC is the fix for that
-
moparisthebest
Well, and other lesser things, cert transparency log, CAA etc
-
Zash
DNSSEC transparency log when?
-
pep.
"Zash> all while the IT department uses IRC internally" redundancy :P
-
pep.
If Slack fails they still have something that works
-
Zash
We humans sure do love stating the obvious, don't we 🙂
-
pep.
I was doing the same with s/IRC/XMPP/
-
pep.
ssshhh
-
moparisthebest
IRC is for sure the second best group chat after XMPP, everything else is far worse
-
pep.
Zash: We humans use weird methods to communicate that don't guarantee the same interpretation :)
-
Zash
Sacrebleu!
-
pep.
Anybody doing https://xmpp.org/extensions/xep-0225.html btw
-
pep.
(I guess not)
-
Zash
'114 works Good Enough, so not much demand I guess
-
pep.
Not storing credentials on the server for bridges, that's the use-case
-
MattJ
How does 225 help?
-
pep.
You'd be able to store that client-side
-
pep.
A client-side component
-
Zash
What?
-
MattJ
How?
-
Zash
Who?
-
pep.
Well the thing is that the server still has to have DNS etc. setup :/
-
pep.
So yeah it's not perfect
-
pep.
Suggestions welcome
-
MattJ
Just run over a client connection
-
MattJ
If it's about a single user
-
pep.
Multiprotocol client?
-
moparisthebest
You'd need a way to request a dedicated domain from the server, you could do that pretty easily with wildcards (DNS and cert) but the abuse potential is massive
-
pep.
MattJ, "run over a client connection", what does that mean
-
pep.
reuse it?
-
pep.
Technically the server could spoof the domain, it doesn't need to be declared right
-
pep.
If it's just over c2s
-
MattJ
Correct
-
moparisthebest
So that's just my echo component thing
-
pep.
Except having a client-side component could echo itself (to all clients). A client-only-thing needs the echo thing
-
moparisthebest
Right, but server just needs the echo thing, and any clients can use it for whatever protocol they want