[Operators] Suspicion of Jabbim services being hacked

Mathieu Pasquet mathieui at mathieui.net
Fri Dec 19 19:36:13 UTC 2014


On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote:
> On 19 Dec 2014 18:32, "Sam Whited" <sam at samwhited.com> wrote:
> > On 12/19/2014 09:24 AM, Peter Viskup wrote:
> > > Hi all,
> > > thought it would be interesting to the audience of this mailinglist.
> > >
> > > http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
> > >
> > > Best regards,
> > >
> > Another great example of why you should ditch DIGEST-MD5 and store your
> > passwords as SCRAM bits.
> >
> > —Sam
> >
> It feels like we should do something like the encryption push, but for
> non-plaintext passwords.

Do we have any statistics (e.g. on jabber.org) about what proportion of
clients do not support any other mechanisms than PLAIN and DIGEST-MD5?
(though yes, PLAIN works well with hashed passwords, but should still be
avoided whenever possible)

That would be enlightening.

-- 
mathieui
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/operators/attachments/20141219/6ed4173d/attachment.sig>


More information about the Operators mailing list