jdev - 2022-09-06


  1. lovetox

    does anyone implement that sasl method pinning

  2. lovetox

    sounds to me very risky in an enviroment where inexpierienced people set up home servers

  3. lovetox

    it probably will make the client non-functional for many users because of server misconfigurations

  4. lovetox

    not sure what the treatmodel is .. to do any shenanigans with sasl someone would need to mitm your tls connection, and then he wants to break scram? why ...

  5. Sam

    Channel binding with the -PLUS variant has anti-downgrade preventions built in, IIRC, so mechanism pinning is less useful there. However, if you're not using the -PLUS variants for whatever reason you need some mechanism to ensure that you can't be downgraded to PLAIN, for example. This is where pinning comes in. It probably has other applications that I haven't thought of, but this was the main one IIRC.

  6. Sam

    Generally speaking I feel like it's generally a bad idea to randomly accept that the server is providing lower security mechanisms. The very few inexperienced people who will host their own servers are probably a tiny number of people and aren't worth weakening security for a very unlikely UX problem.

  7. Sam

    Especially when it's an easy thing to provide a helpful error message for, so it's not even really a bad UX.

  8. Zash

    Although you probably need to account for PLUS with tls-unique going away when going from TLS 1.2 to 1.3 until tls-exporter gets widely deployed...

  9. lovetox

    The question was why someone that already has the capabilities of breaking my tls connection, and can read all my traffic, needs to know my password

  10. pulkomandy

    Then it can use your password to connect to the real server and impersonate you?

  11. Sam

    MITM is hard. Getting a password and connecting yourself from anywhere in the world you want makes it easier to repeatedly do whatever it was you were doing later.

  12. lovetox

    downgrade attacke would mean he can inject stanzas into the connection

  13. lovetox

    so he can already impersonate me

  14. lovetox

    so the whole treatmodel is for that is: "It does not really save you from anything bad, but maybe it makes it harder for the attacker to do it more than once" ?

  15. Sam

    Sure, but they can start a new connection whenever if they gave your password. Or log into your email when you reuse passwords.

  16. lovetox

    does not really convince me to annoy users and write hundreds of lines of code that can be buggy and fail

  17. lovetox

    how can PLUS variant have downgrade prevention?

  18. lovetox

    sounds impossible

  19. Zash

    SCRAM has a flag where the client says whether it thinks the server offers PLUS, if it doesn't match expectations on the server it fails

  20. MattJ

    In SCRAM the client reports whether it supports channel binding, so the server can fail authentication if it offered PLUS but the client didn't use it (e.g. because the attacker removed it from the mechanism list)

  21. MattJ

    That

  22. lovetox

    but this does not prevent the case with PLAIN described above by Sam

  23. MattJ

    Correct

  24. lovetox

    so is this just about PLAIN? i should not downgrade to PLAIN, but everything else doesnt matter

  25. moparisthebest

    Thousands of XMPP developer hours spent on protecting the user password from the server, still no real world use. SCRAM has played us for fools.

  26. MattJ

    I think SCRAM is cool. I think channel binding crosses the line into cryptographic overengineering.

  27. moparisthebest

    It's awesome and absolutely critical in a world where TLS isn't used

  28. moparisthebest

    But for the last decade or so...

  29. Zash

    Detecting TLS MITM is kinda cool tho

  30. MattJ

    Zash: it is, but......

  31. MattJ

    When does TLS MITM happen in reality?

  32. moparisthebest

    If the TLS mitm has a valid cert it's good

  33. Zash

    In the evil reverse proxies!!!11

  34. MattJ

    TLS MITM basically only happens when it's intentional, e.g. corporate networks and such

  35. MattJ

    And people still want their chat apps to work

  36. Zash

    Evil corporate DPI boxes!

  37. MattJ

    But we'll prevent them from connecting and people will blame^Wcheer XMPP from the rooftops

  38. MattJ

    But sure, 0.5% of people would prefer it not to work

  39. MattJ

    So I'm glad channel binding exists for them 🙂

  40. Martin

    > TLS MITM basically only happens when it's intentional, e.g. corporate networks and such > And people still want their chat apps to work I don't think you should install your chat app on the company device.

  41. moparisthebest

    100% what Martin said

  42. MattJ

    Martin: even if it's for work purposes?

  43. moparisthebest

    And presumably if you do, you want it to function

  44. Martin

    Then the company IT department should assure it's working.

  45. moparisthebest

    And it's a work account so your company already knows the password

  46. MattJ

    This whole discussion is about making sure they can't make it work

  47. Zash

    Weren't XMPP only used for private chat anyway? 🙂

  48. MattJ

    That's what MITM detection does

  49. Zash

    The IT department already deployed Matri^W Slack.

  50. Martin

    Probably worse. Teams.

  51. Zash

    or BOTH

  52. Zash

    all while the IT department uses IRC internally

  53. pep.

    "MattJ> TLS MITM basically only happens when it's intentional, e.g. corporate networks and such" or states using valid gmail.com certs. (/me looking at France)

  54. moparisthebest

    pep.: What do you mean

  55. pep.

    That was some time ago, and they got spotted quickly I assume, I'm looking for the link. This kind of stuff happens anyway, it's not just corporate networks. CA mafia and all.

  56. Zash

    https://www.rfc-editor.org/rfc/rfc1925.html#section-2 > It Has To Work.

  57. moparisthebest

    DNSSEC is the fix for that

  58. moparisthebest

    Well, and other lesser things, cert transparency log, CAA etc

  59. Zash

    DNSSEC transparency log when?

  60. pep.

    "Zash> all while the IT department uses IRC internally" redundancy :P

  61. pep.

    If Slack fails they still have something that works

  62. Zash

    We humans sure do love stating the obvious, don't we 🙂

  63. pep.

    I was doing the same with s/IRC/XMPP/

  64. pep.

    ssshhh

  65. moparisthebest

    IRC is for sure the second best group chat after XMPP, everything else is far worse

  66. pep.

    Zash: We humans use weird methods to communicate that don't guarantee the same interpretation :)

  67. Zash

    Sacrebleu!

  68. pep.

    Anybody doing https://xmpp.org/extensions/xep-0225.html btw

  69. pep.

    (I guess not)

  70. Zash

    '114 works Good Enough, so not much demand I guess

  71. pep.

    Not storing credentials on the server for bridges, that's the use-case

  72. MattJ

    How does 225 help?

  73. pep.

    You'd be able to store that client-side

  74. pep.

    A client-side component

  75. Zash

    What?

  76. MattJ

    How?

  77. Zash

    Who?

  78. pep.

    Well the thing is that the server still has to have DNS etc. setup :/

  79. pep.

    So yeah it's not perfect

  80. pep.

    Suggestions welcome

  81. MattJ

    Just run over a client connection

  82. MattJ

    If it's about a single user

  83. pep.

    Multiprotocol client?

  84. moparisthebest

    You'd need a way to request a dedicated domain from the server, you could do that pretty easily with wildcards (DNS and cert) but the abuse potential is massive

  85. pep.

    MattJ, "run over a client connection", what does that mean

  86. pep.

    reuse it?

  87. pep.

    Technically the server could spoof the domain, it doesn't need to be declared right

  88. pep.

    If it's just over c2s

  89. MattJ

    Correct

  90. moparisthebest

    So that's just my echo component thing

  91. pep.

    Except having a client-side component could echo itself (to all clients). A client-only-thing needs the echo thing

  92. moparisthebest

    Right, but server just needs the echo thing, and any clients can use it for whatever protocol they want