[jdev] GSSAPI and service hostname

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Thu Jan 15 13:30:09 CST 2009

On Thursday 15 January 2009 10:02:24 Matthew A. Miller wrote:
> Besides, XEP-233 isn't any more secure than the SRV lookup.
> *  If you trust the XEP-233 result because you've got a secure channel
> (STARTTLS) and trusted their certificate, then why can't you now trust
> the SRV result?

Hmm, this is an interesting question.

TLS validates the XMPP domain, not the connect host found in the SRV result.  
So an attacker could feed you an incorrect SRV result here, and then route 
your traffic (as-is, not attacking TLS) to the real XMPP server.  This would 
be enough for an attacker to cause you to use the wrong host in the Kerberos 

However, it's not clear to me if there is a real attack here.  With the wrong 
host, you may obtain a wrong Kerberos ticket but you'll attempt to use it 
with the "right" host which will result in a failed authentication (a DoS).  
Maybe if the "right" host has multiple host keys for the "xmpp" service, the 
attacker could cause you to successfully authenticate to the wrong XMPP host?  
Well, whether that attack is really a problem or not, at least XEP-233 does 
close it off.


More information about the JDev mailing list