[Standards-JIG] Re: Re: JEP-0077: In-Band Registration
Tijl Houtbeckers
thoutbeckers at splendo.com
Mon Jul 17 18:40:40 CDT 2006
On Tue, 18 Jul 2006 01:27:36 +0200, Ian Paterson
<ian.paterson at clientside.co.uk> wrote:
>>> That way, even if a hacker gains
>>> control of my machine, they'll have only the hash -- which makes it
>>> trivial for the hacker to log into my Jabber account of course, but at
>>> least the hacker won't be able to discover the plaintext (which I might
>>> have used for other accounts or whatever).
>>
>> Again, this only works if you're the only one doing it. If all jabber
>> servers do it, I can hack all your jabber acount. If email people start
>> doing it, I can get your email. I think at one point in the edigest
>> thread someone even came with the idea that by that time you can just
>> start hashing it twice (!)
>
> It doesn't matter if all clients use exactly the same trick for all
> servers as long as the JID (and "xmpp:") are used as a salt.
Yes, salting is part of the solution, as I already stated. If you read the
edigest discussion I linked to, what you suggest here was also already
proposed, and the advantages and disadvantages of this method were
discussed as well.
In the end username/realm based salting has some clear advantages over
others, and SASL/DIGEST-MD5 can support this already. I don't think it's
worth it standardizing on an xmpp or even JID specific solution.
More information about the Standards-JIG
mailing list