22 Oct
2025
22 Oct
'25
10:24 p.m.
Sorry for not chiming in earlier. I've been very busy lately.
Channel-binding in the xmpp-ecosystem is currently only widely deployed
through SCRAM (even though some PAKE mechanism could be used with channel-
binding, too). So I will only cover the SCRAM case here.
In SCRAM (RFC 5802) the client-first-message contains 3 possible values in the
GSS-header part:
1. y - The client would have used channel-binding, but the server did not offer
any.
2. n - The client does not support channel-binding (even if the server offered
any).
3. p=<cb-name> - The name of the channel-binding, the client wants to use.
The RFC explains, that sending "y" when the server advertised channel-binding
support is to be used as a MITM-detection:
An attacker stripping out all *-PLUS variants can be detected this way (the
server knows it advertised them and the client says via "y", that it would
have used them if it saw them, so the server can abort the authentication in
this case).
This works reasonably well, if there is only one single channel-binding
possible. But that's the exact assumption this XEP is going to change:
it is possible to advertise a list of different channel-bindings for the client
to choose. That's good for protocol agility, something that's important enough
to have algorithm negotiation in TLS, for example. I think we all can agree
here, that protocol agility is important and so this XEP is needed.
So now we have a problem: what to do if the server advertised a list of
channel-binding algorithms, but the client doesn't support any of these?
In the non-attacker case, the client can't send "y" in the GSS-header,
because
the server would then abort the authentication because it advertised channel-
bindings. But sending "n" and continuing without channel-binding is fine in
this case.
This isn't fully hypothetical. An older client might only support tls-unique,
while the server only advertises tls-exporter (which can be used for tls 1.2,
too, if the extended master secret is used).
Blocking the connection entirely is of course at the discretion of the client
developer, but it hinders interoperability, especially while phasing out one
channel-binding-type and introducing a new one.
Now the attacker case: Any MITM-attacker could just manipulate the list of
channel-bindings advertised using this XEP to just list some dummy mechanisms
(or mechanisms they know the client doesn't support). That would successfully
downgrade the client to non-channel-binding, if the client still sent "n" as
above. The client won't be able to distinguish the attacker case from the non-
attacker one.
How to fix this while not hindering interoperability? Implementing XEP-0474 is
one option (and an even better one). But for defence-in-depth and to support
cases when this isn't possible (for example when the SCRAM library used
doesn't support adding optional attributes), a few years back I proposed to
add a countermeasure to this XEP (the part we are discussing in this thread):
Having a MUST to implement and advertise tls-server-end-point when advertising
channel-binding types using this XEP.
Tls-server-end-point is the lowest denominator that can be implemented by
virtually everyone and even though it isn't as strong as tls-exporter or tls-
unique, it still catches many attacks (it would have detected the jabber.ru
one, for example).
Now with this MUST in place, a client seeing a list without tls-sever-end-
point advertised, immediately knows, that some attacker tampered with the list
of channel-bindings and can abort the authentication. It never needs to send
"n" even though it supports channel-binding and can still safely send
"y" if
it doesn't see any *-PLUS variants and channel-bindings announced. (Short
note: making this a SHOULD or MAY contradicts this, it has to be a MUST here.)
Note: I do not have any objection to move that MUST into another section of
the XEP if you think, that the Security Considerations section is the wrong
place for this. And I equally don't object adding more explanation why this
MUST is necessary to the XEP as well.
Additional note: no, I completely disagree with Daniel's opinion that we will
eventually be able to have channel binding enabled by default at all times for
the same reasons Holger has, but that's off-topic.
-tmolitor
Am Mittwoch, 22. Oktober 2025, 13:29:38 CEST schrieb Florian Schmaus:
I am going to reply to Dave's post in an attempt
to get the discussion
back on track. Because, right now, it got a bit derailed by the
assumption that XEP-0440 requires tls-server-endpoint just for the sake
of it (at least, that is my impression).
On 20/10/2025 12.46, Dave Cridland wrote:
Yes, the MTI advice in this document is indeed a
bit weird. tls-server-
endpoint is MUST, but with little background information,
Actually the rationale for doing so is provided in the beginning of the
"Security Considerations" section (right before the tls-server-endpoint
requirement is stated).
IIRC ca. 2022 Thilo (in CC) made a case that a mutual shared cb-type
improves the security. And the lowest common denominator simply is
tls-server-endpoint, which is what we want servers to support and
annouce to achieve the goal of a mutual shared cb-type. If a am not
mistaken, this was also discussed on the standard@ mailing list.
Reading the current last call discussion, I don't get the impression
that this previous discussion and the provided arguments are taken into
account.
Don't get me wrong. I do not plan to object whatever decision we are
going to make. But those who want to change the XEP (again) should
explain why the arguments back then are not, or no longer, valid.
but it then goes on to say that tls-exporter is
preferable.
It is preferable, isn't it?
- Flow