[Operators] Suspicion of Jabbim services being hacked

Kevin Smith kevin.smith at isode.com
Fri Dec 19 20:18:00 UTC 2014


On 19 Dec 2014, at 19:36, Mathieu Pasquet <mathieui at mathieui.net> wrote:
> 
> On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote:
>> On 19 Dec 2014 18:32, "Sam Whited" <sam at samwhited.com> wrote:
>>> On 12/19/2014 09:24 AM, Peter Viskup wrote:
>>>> Hi all,
>>>> thought it would be interesting to the audience of this mailinglist.
>>>> 
>>>> http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
>>>> 
>>>> Best regards,
>>>> 
>>> Another great example of why you should ditch DIGEST-MD5 and store your
>>> passwords as SCRAM bits.
>>> 
>>> —Sam
>>> 
>> It feels like we should do something like the encryption push, but for
>> non-plaintext passwords.
> 
> Do we have any statistics (e.g. on jabber.org) about what proportion of
> clients do not support any other mechanisms than PLAIN and DIGEST-MD5?
> (though yes, PLAIN works well with hashed passwords, but should still be
> avoided whenever possible)
> 
> That would be enlightening.

While I can’t say anything about clients not supporting stuff, obviously, clients choosing DIGEST are four times more numerous than clients choosing SCRAM, six times more numerous than those choosing PLAIN, and a small number do 78 auth and CRAM-MD5.

/K


More information about the Operators mailing list