XSF Discussion - 2020-12-08


  1. Holger

    SamWhited: I don't quite get the reasoning for prefering PLAIN over MD5 in <https://xmpp.org/extensions/xep-0438.html#pinning> (and in draft-ietf-kitten-password-storage-02).

  2. Zash

    RFC 6331 !

  3. SamWhited

    Holger: MD5 can be broken in a few minutes on a normal laptop and if you use it you can't hash the password on the server. Plain doesn't protect the password in transit (just like MD5) but the server can hash and compare against bcrypt or something, so it does protect it at rest.

  4. Holger

    All true of course, but this is about a client preference list, not about the question "should servers store clear-text", no?

  5. Holger

    I.e. are these reasonings relevant to the client in the situation where the server offers MD5 + PLAIN?

  6. SamWhited

    Yes. The client should prefer the thing that gives the server the flexibility to drop MD5 later.

  7. Holger

    That's the part I don't get, I guess :-)

  8. SamWhited

    Also it says not to support MD5 at all, so plain just wins by default

  9. Holger

    I half-get that part.

  10. SamWhited

    We're trying to make the upgrade path smooth. We can't necessarily guarantee that any given server is doing good things with our data, but we can at least encourage them not to do bad things by not supporting and using them ourselves.

  11. Holger

    Hm k, fair enough.

  12. SamWhited

    I should probably remove MD5 from that example ordering entirely; it's just there for the purpose of example while the actual normative text says not to use MD5 at all but it's probably confusing having it in a list

  13. jonas’

    with that line of argument, you should always use PLAIN, even if SCRAM is offered

  14. Holger

    That reasoning sounds a bit twisted to my ears.

  15. SamWhited

    jonas’: for hash agility? I tend to agree with that, but I know most people won't.

  16. Holger

    I'm not sure I like such twists in documents that make security recommendations. Esp. if those twists aren't made very explicit.

  17. SamWhited

    I should make it more explicit then. I don't think it's a twist though: MD5 is broken and deprecated, there is another RFC by experts that says so seems like a pretty straight forward reason not to use it to me.

  18. Holger

    Right now the reasoning reads bogus to me and reduces the confidence I have into those documents.

  19. jonas’

    then again, I also don’t understand why what a client uses (when faced with multiple choices) has any influence on what a server does

  20. jonas’

    assuming that PLAIN is not supported by clients because they always pick DIGEST-MD5 when faced with PLAIN + DIGEST-MD5 is not quite realistic

  21. SamWhited

    It has an influence when the server admin wants to upgrade but they have a hundred customers still using MD5 that they'd have to migrate and they decide not to bother.

  22. SamWhited

    But I agree it's not likely to happen in real life, and also the text that ranks them is literally just an example. I'll just remove MD5 from it entirely.

  23. Neustradamus

    SamWhited: We have already spoken about MD5 previously, I am very happy to see other people too :)

  24. Holger

    What I see in practice is effects such as: (1) Back in the days, people deemed MD5 more secure[tm] than PLAIN. So clients such as Psi disabled PLAIN by default, only allowing MD5. (2) Today, people read security docs such as yours and explicitly disable MD5 in ejabberd configs, PLAIN still being permitted. Result: Psi can no longer log in. Security win: Non-existent.

  25. Holger

    I'm all for security improvements. But only if they actually improve security.

  26. SamWhited

    Oh I see, that's where I disagree then. I think that is a good thing and we should be pushing for MD5 to be deprecated.

  27. SamWhited

    If it means ancient clients can't log in, so be it. Let's not let them hold us back from deprecating an actually broken mechanism.

  28. jonas’

    it’s not more broken than PLAIN though

  29. SamWhited

    It is more broken than plain because if servers support it they can't do any other sort of hashing.

  30. Holger

    In my scenario the client doesn't hold us back from anything. We just break auth for no reason at all.

  31. SamWhited

    With DIGEST-MD5 your security is just entirely broken. With PLAIN you at least get the same level of transport security as the web if you're using TLS, and at rest you get good hash agility and strong hashing.

  32. Holger

    In my scenario the server has plain-text passwords.

  33. jonas’

    SamWhited, ok, that’s not wrong, but that should go in server recommendations then, not client recommendations.

  34. Holger

    If the server only has hashes, MD5 will just not work anyway. That's fine and in that case there's nothing to discuss.

  35. Holger

    We're only talking about the scenario where the server has plain-text passwords.

  36. SamWhited

    That's a good idea, maybe it's in the wrong section. Client recommendations just say "Don't use MD5 and prefer SCRAM to plain" and server recommendations say "Don't support MD5, if you support plain use bcrypt" or something.

  37. SamWhited

    Holger: why does the server have plain-text passwords at all?

  38. Holger

    SamWhited: That question is entirely unrelated to the client preference list.

  39. Holger

    There's reasons for having plain-text passwords. Other services needing them anyway or whatever. Unrelated.

  40. Holger

    I'm obviously all for suggesting server admins to prefer hashing passwords _if_ they don't need clear-text.

  41. SamWhited

    I disagree, in most environments I believe that's an unacceptable way to do things. There may of course be super specific niche use cases for it, but this document is meant to be a general security document which can't cater to every niche use case or it would have to say "It's good to use TLS, but you don't have to, and it's good to have authentication at all, but you can trust the network or just everybody, etc."

  42. SamWhited

    These are best practices, not overall global rules and I think that's the only practical way to write a document like this.

  43. rion

    SamWhited: 👍

  44. Holger

    I work for a university and we're running various commercial software that requires clear-text passwords. I don't think we're super-niche. But that's all completely besides the point.

  45. SamWhited

    Again, that's fine, I just don't think a best practices document needs to cater to that

  46. Holger

    I disagree with documents having to be written like this, but whatever.

  47. SamWhited

    If it matters to you maybe it's worth bringing it up on the kitten list so the actual experts can weigh in?

  48. Holger

    Doesn't matter enough to me :-)

  49. Holger

    But thanks for your feedback, I might disagree but get your idea now.

  50. SamWhited

    For now based on this feedback I'm going to remove DIGEST-MD5/CRAM-MD5 from the example ordering because it seems to be confusing in general (some people didn't read the rest of the text and assumed that meant they should be supported, others just disagreed with the ordering somewhat like this even though it doesn't matter since they're just deprecated) and I'll re-evaluate what belongs in client/server best practices.

  51. SamWhited

    Thanks for bringing it up

  52. Holger

    👍 Removing it altogether makes more sense to me.

  53. Zash

    SCRAM-SHA-1 has been MTI in XMPP, and DIGEST-MD5 has been deprecated since 2011. I'm all in favor of considering it dead.

  54. rion

    regarding Psi doesn't login anymore. with which sasl mechanisms?

  55. rion

    SCRAM-SHA-1 works for years there..

  56. Holger

    rion: Yeah may well just be old versions affected.

  57. Holger

    And/or Tkabber?

  58. Holger

    Forgot.

  59. Holger

    I remember "allow plaintext auth: no" knobs in both, and in the past this meant "no PLAIN, just MD5".

  60. rion

    btw how to force ejabberd to offer other than scram-sha-1 scram mechs?

  61. rion

    > And/or Tkabber? I guess this one is really dead for years.

  62. Holger

    Other SCRAM mechanisms weren't supported until very recently (committed during the past few days).

  63. SamWhited

    Holger: out of curiosity, how did you handle supporting multiple SCRAM mechanisms? Only allow the one negotiated by the client or do you store multiple sets of SCRAM bits?

  64. SamWhited

    Or force dropping back to plain text storage?

  65. rion

    I always use ejabberd for all my local tests. So this is somewhat important to me :)

  66. Holger

    rion: Use the current Git code :-)

  67. Holger

    SamWhited: So far we (the code isn't by me) only store a single hash.

  68. Zash

    Same in prosody

  69. Holger

    So the client can only use that mechanism. Unless the admin has plain-text storage of course (which is still the default).

  70. SamWhited

    Okay, thanks. I'd be really curious if you have issues with eg. people who use Conversations and Dino and Converations logs in with SCRAM-SHA-256 first so now Dino can never log in again because it doesn't support it (it might, I have no idea, just an example)

  71. jonas’

    THE DEFAULT?

  72. jonas’

    SamWhited, it’s not so much about logging in as much as about what happens during initial account provisioning

  73. Holger

    SamWhited: I'm sure we'll run into those. Which is the reason I wasn't looking all that much forward to SRAM-XXX support.

  74. SamWhited

    Yah, I'm not a huge fan of SCRAM for this reason among others.

  75. jonas’

    and the problem with that is obviously that mechanisms are listed pre-auth, so there’s no way to do hash agility with scram without plain storage

  76. Zash

    jonas’, don't look at prosodys defaults

  77. jonas’

    Zash, I was under the impression that internal_hashed is the default nowadays?

  78. Zash

    jonas’, you can store multiple sets of hashes

  79. jonas’

    Zash, yeah, but you would’ve had to have those stored like 10 years ago

  80. Holger

    jonas': ejabberd support SIP by default, among other things :-)

  81. SamWhited

    I wrote eIBR with an aim to solve this somewhat, but it's still not great that we have to work around this with a separate protocol

  82. jonas’

    Holger, how’s that an excuse for storing plaintext by default?

  83. Holger

    SIP needs it?

  84. jonas’

    does it?

  85. Holger

    Yes.

  86. jonas’

    I don’t know SIP really, but I fail to imagine a protocol which forces plain-text credential storage on the server side

  87. Holger

    And so does TURN if you don't do XEP-0215, for example.

  88. Zash

    jonas’, default/template config file doesn't necessarily match the built-in defaults...

  89. jonas’

    Zash, ok, right, I judge by the default config file :)

  90. SamWhited

    Oof, both of these things hurt me.

  91. jonas’

    Holger, then again, I’m super tired and exhausted and maybe my imagination is just lacking

  92. Zash

    SamWhited: Aha! Revenge for your anti-SCRAM propaganda!!!1! :P

  93. Holger

    jonas': Well any protocol which does MD5 auth or something like that.

  94. SamWhited

    hah, fair enough. Jokes aside though, this sort of basic configuration and policy thing is how security issues happen. It's almost never a directed malicious actor you have to worry about, it's things that confuse the user or don't actually do what they say on the tin that causes someone to configure something badly,or they don't configure it and it's insecure by default and their database gets stolen or whatever

  95. Zash

    Holger, how do you deal with FIPS mode or whatsitcalled where even thinking "md5" gets you SIGKILL'd?

  96. jonas’

    Holger, right m(

  97. Holger

    jonas': I.e. "avoid transmitting plain-text password by transmitting a MAC/hash instead", which requires the clear-text password as input. A decade or two ago, everyone did that because security.

  98. Holger

    Zash: Er, there's something where leaving it to the admin isn't good enough?

  99. jonas’

    Holger, yeah, right, makes sense

  100. jonas’

    especially for stuff like SIP

  101. Zash

    Holger: Someone had trouble because Prosody uses md5 in a non-security thing and it would hit an assert or something in OpenSSL in FIPS mode because you're not allowed to touch it.

  102. Zash

    Much fun.

  103. Holger

    Ah eww.

  104. Zash

    Does anyone happen to have machine-readable compliance suite data?

  105. SamWhited

    {"compliance_suites": "https://xmpp.org/extensions/xep-0443.html"}

  106. SamWhited

    *ducks as things are thrown*

  107. SamWhited

    That would be nice to have.

  108. moparisthebest

    as we all know only XML is machine readable

  109. moparisthebest

    or... everything is machine readable given the right regex

  110. Zash

    define(brain, machine)

  111. SamWhited

    If "readable" is qualified by "given the right regex", pretty sure that makes XML unreadable.

  112. Zash

    Surely PCRE can do it

  113. Zash

    A thing that reads a DOAP and tells you what compliance level you're at would be nice

  114. SamWhited

    Fair. I'll move the goal posts and claim I always meant that "readable" includes "on a machine with finite memory" too then :)

  115. moparisthebest

    you can absolutely parse XML and even HTML with a regex

  116. wurstsalat

    Zash: Link Mauve worked on a DOAP parser afaik. For exactly that

  117. moparisthebest

    can != should though :)

  118. SamWhited

    moparisthebest: can you? Jokes aside, I think namespaces aren't regular and if you use PCRE you can define input that would result in very large expansions

  119. SamWhited

    But I dunno, haven't really thought about it, I think that's just an assumption I've had for a long time that I've never bothered to verify.

  120. SamWhited

    The internet suggets that I am wrong, but what does the internet know?

  121. moparisthebest

    I suspect you *could* fully support everything, you just wouldn't want to, but it works fine for simple cases

  122. SamWhited

    ahh, no, I know exactly why it's impossible: XML allows infinite nesting but the point of regular expressions it to be able to use finite automata ("finite" being the important part)

  123. SamWhited

    Anyways, sorry, stupid academic tangent that doesn't matter but is kind of interesting. Like you said: "don't do it"

  124. jonas’

    XML itself, namespaces or not, is not regular.

  125. jonas’

    many "regular expression" engines are also not regular though :)

  126. moparisthebest

    we need someone stubborn enough yet also well versed in sed enough to give it a go, if only we knew the guy who implemented an XMPP client in sed...

  127. jonas’

    if only!

  128. jonas’

    I do not interact with such crazyfolk!

  129. SamWhited

    Zash: to your original question, the XEP source might not be the worst thing in the world to parse? I mean, it's not ideal, but it's probably not too difficult to get the data out

  130. SamWhited

    I think the table layout is consistent between the various suites

  131. jonas’

    mostly, I think

  132. Zash

    5×2×2 CS sub-suites :|

  133. Алексей

    In regards to SCRAM support in SIP: I started looking at writing an IETF draft on this. (@Neustradamus was talking to me about this for quite some time now.) I can't say how much interest there would be in IETF for this.

  134. Алексей

    I really need to rename my nick. I am Alexey Melnikov

  135. SamWhited

    Алексей: I keep meaning to ask you, are you thinking about submitting your SCRAM-SASL-3 and SHA-512 drafts to the working group or are you going the self-publishing route with those?

  136. Kev

    I'm not 100% what trolling is, but I fear I may have just done it.

  137. Kev bimbles off to bed before anyone notices.