XSF Discussion - 2023-08-18

Good blog post directly applicable to sasl external auth in XMPP https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/

> Although X.509 certificates have been here for a while, they have become more popular for client authentication in zero-trust networks in recent years. "Recent years" eh? XMPP was doing it right from the start :)

No no, mTLS is an amazing new invention, that we blatantly stole in 2003.

😂

Would be fun to try the "I'm going to put a valid cert I own the key for first, and the stolen cert from https://prosody.im second, and try to s2s to servers as prosody.im" attack against various servers though

fun but very annoying to try :'(

moparisthebest: newsletter?

It doesn't mention XMPP at all and unless you are a server developer you probably don't care, but, if you need filler then sure :)

moparisthebest: does it affect xmpp? if so yes I would say

> Would be fun to try the "I'm going to put a valid cert I own the key for first, and the stolen cert from https://prosody.im second, and try to s2s to servers as prosody.im" attack against various servers though good news, I tried this, using my certificate for *.moparisthe.best, and the certificate from https://prosody.im in the #2 position, to authenticate s2s using sasl external on: 1. my prosody 2. conversations.im (ejabberd) 3. sure.im (tigase) 4. igniterealtime.org (openfire) and all of them did the right thing and didn't let me in :D ✏

if you have a different implementation listening on s2s you want me to test let me know, it was kind of annoying to set up