[Operators] Suspicion of Jabbim services being hacked

Dave Cridland dave at cridland.net
Fri Dec 19 20:40:12 UTC 2014


On 19 December 2014 at 20:18, Kevin Smith <kevin.smith at isode.com> wrote:
>
> On 19 Dec 2014, at 19:36, Mathieu Pasquet <mathieui at mathieui.net> wrote:
> >
> > On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote:
> >> On 19 Dec 2014 18:32, "Sam Whited" <sam at samwhited.com> wrote:
> >>> On 12/19/2014 09:24 AM, Peter Viskup wrote:
> >>>> Hi all,
> >>>> thought it would be interesting to the audience of this mailinglist.
> >>>>
> >>>>
> http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
> >>>>
> >>>> Best regards,
> >>>>
> >>> Another great example of why you should ditch DIGEST-MD5 and store your
> >>> passwords as SCRAM bits.
> >>>
> >>> —Sam
> >>>
> >> It feels like we should do something like the encryption push, but for
> >> non-plaintext passwords.
> >
> > Do we have any statistics (e.g. on jabber.org) about what proportion of
> > clients do not support any other mechanisms than PLAIN and DIGEST-MD5?
> > (though yes, PLAIN works well with hashed passwords, but should still be
> > avoided whenever possible)
> >
> > That would be enlightening.
>
> While I can’t say anything about clients not supporting stuff, obviously,
> clients choosing DIGEST are four times more numerous than clients choosing
> SCRAM, six times more numerous than those choosing PLAIN, and a small
> number do 78 auth and CRAM-MD5.
>
>
Thanks.

So unlike the campaign about TLS, this one is really aimed primarily at the
clients, then. Probably one to discuss at the Summit?


> /K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20141219/1a0f0a8a/attachment.html>


More information about the Operators mailing list