jdev - 2022-09-06

does anyone implement that sasl method pinning

sounds to me very risky in an enviroment where inexpierienced people set up home servers

it probably will make the client non-functional for many users because of server misconfigurations

not sure what the treatmodel is .. to do any shenanigans with sasl someone would need to mitm your tls connection, and then he wants to break scram? why ...

Channel binding with the -PLUS variant has anti-downgrade preventions built in, IIRC, so mechanism pinning is less useful there. However, if you're not using the -PLUS variants for whatever reason you need some mechanism to ensure that you can't be downgraded to PLAIN, for example. This is where pinning comes in. It probably has other applications that I haven't thought of, but this was the main one IIRC.

Generally speaking I feel like it's generally a bad idea to randomly accept that the server is providing lower security mechanisms. The very few inexperienced people who will host their own servers are probably a tiny number of people and aren't worth weakening security for a very unlikely UX problem.

Especially when it's an easy thing to provide a helpful error message for, so it's not even really a bad UX.

Although you probably need to account for PLUS with tls-unique going away when going from TLS 1.2 to 1.3 until tls-exporter gets widely deployed...

The question was why someone that already has the capabilities of breaking my tls connection, and can read all my traffic, needs to know my password

Then it can use your password to connect to the real server and impersonate you?

MITM is hard. Getting a password and connecting yourself from anywhere in the world you want makes it easier to repeatedly do whatever it was you were doing later.

downgrade attacke would mean he can inject stanzas into the connection

so he can already impersonate me

so the whole treatmodel is for that is: "It does not really save you from anything bad, but maybe it makes it harder for the attacker to do it more than once" ?

Sure, but they can start a new connection whenever if they gave your password. Or log into your email when you reuse passwords.

does not really convince me to annoy users and write hundreds of lines of code that can be buggy and fail

how can PLUS variant have downgrade prevention?

sounds impossible

SCRAM has a flag where the client says whether it thinks the server offers PLUS, if it doesn't match expectations on the server it fails

In SCRAM the client reports whether it supports channel binding, so the server can fail authentication if it offered PLUS but the client didn't use it (e.g. because the attacker removed it from the mechanism list)

That

but this does not prevent the case with PLAIN described above by Sam

Correct

so is this just about PLAIN? i should not downgrade to PLAIN, but everything else doesnt matter

Thousands of XMPP developer hours spent on protecting the user password from the server, still no real world use. SCRAM has played us for fools.

I think SCRAM is cool. I think channel binding crosses the line into cryptographic overengineering.

It's awesome and absolutely critical in a world where TLS isn't used

But for the last decade or so...

Detecting TLS MITM is kinda cool tho

Zash: it is, but......

When does TLS MITM happen in reality?

If the TLS mitm has a valid cert it's good

In the evil reverse proxies!!!11

TLS MITM basically only happens when it's intentional, e.g. corporate networks and such

And people still want their chat apps to work

Evil corporate DPI boxes!

But we'll prevent them from connecting and people will blame^Wcheer XMPP from the rooftops

But sure, 0.5% of people would prefer it not to work

So I'm glad channel binding exists for them 🙂

> TLS MITM basically only happens when it's intentional, e.g. corporate networks and such > And people still want their chat apps to work I don't think you should install your chat app on the company device.

100% what Martin said

Martin: even if it's for work purposes?

And presumably if you do, you want it to function

Then the company IT department should assure it's working.

And it's a work account so your company already knows the password

This whole discussion is about making sure they can't make it work

Weren't XMPP only used for private chat anyway? 🙂

That's what MITM detection does

The IT department already deployed Matri^W Slack.

Probably worse. Teams.

or BOTH

all while the IT department uses IRC internally

"MattJ> TLS MITM basically only happens when it's intentional, e.g. corporate networks and such" or states using valid gmail.com certs. (/me looking at France)

pep.: What do you mean

That was some time ago, and they got spotted quickly I assume, I'm looking for the link. This kind of stuff happens anyway, it's not just corporate networks. CA mafia and all.

https://www.rfc-editor.org/rfc/rfc1925.html#section-2 > It Has To Work.

DNSSEC is the fix for that

Well, and other lesser things, cert transparency log, CAA etc

DNSSEC transparency log when?

"Zash> all while the IT department uses IRC internally" redundancy :P

If Slack fails they still have something that works

We humans sure do love stating the obvious, don't we 🙂

I was doing the same with s/IRC/XMPP/

ssshhh

IRC is for sure the second best group chat after XMPP, everything else is far worse

Zash: We humans use weird methods to communicate that don't guarantee the same interpretation :)

Sacrebleu!

Anybody doing https://xmpp.org/extensions/xep-0225.html btw

(I guess not)

'114 works Good Enough, so not much demand I guess

Not storing credentials on the server for bridges, that's the use-case

How does 225 help?

You'd be able to store that client-side

A client-side component

What?

How?

Who?

Well the thing is that the server still has to have DNS etc. setup :/

So yeah it's not perfect

Suggestions welcome

Just run over a client connection

If it's about a single user

Multiprotocol client?

You'd need a way to request a dedicated domain from the server, you could do that pretty easily with wildcards (DNS and cert) but the abuse potential is massive

MattJ, "run over a client connection", what does that mean

reuse it?

Technically the server could spoof the domain, it doesn't need to be declared right

If it's just over c2s

Correct

So that's just my echo component thing

Except having a client-side component could echo itself (to all clients). A client-only-thing needs the echo thing

Right, but server just needs the echo thing, and any clients can use it for whatever protocol they want