[Operators] Suspicion of Jabbim services being hacked

Waqas Hussain waqas20 at gmail.com
Fri Dec 19 21:55:17 UTC 2014


On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith <kevin.smith at isode.com> wrote:
>
> On 19 Dec 2014, at 19:36, Mathieu Pasquet <mathieui at mathieui.net> wrote:
> >
> > On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote:
> >> On 19 Dec 2014 18:32, "Sam Whited" <sam at samwhited.com> wrote:
> >>> On 12/19/2014 09:24 AM, Peter Viskup wrote:
> >>>> Hi all,
> >>>> thought it would be interesting to the audience of this mailinglist.
> >>>>
> >>>>
> http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
> >>>>
> >>>> Best regards,
> >>>>
> >>> Another great example of why you should ditch DIGEST-MD5 and store your
> >>> passwords as SCRAM bits.
> >>>
> >>> —Sam
> >>>
> >> It feels like we should do something like the encryption push, but for
> >> non-plaintext passwords.
> >
> > Do we have any statistics (e.g. on jabber.org) about what proportion of
> > clients do not support any other mechanisms than PLAIN and DIGEST-MD5?
> > (though yes, PLAIN works well with hashed passwords, but should still be
> > avoided whenever possible)
> >
> > That would be enlightening.
>
> While I can’t say anything about clients not supporting stuff, obviously,
> clients choosing DIGEST are four times more numerous than clients choosing
> SCRAM, six times more numerous than those choosing PLAIN, and a small
> number do 78 auth and CRAM-MD5.
>
> /K


Thanks Kev. How hard would it be to get metrics on clients and client
versions (either overall, or DIGEST-MD5 specific)?

I expect only a handful of clients are likely responsible for 90% of the
user base. Depending on actual metrics, we could conceivably arrange
hackathons, bounties and general evangelism.

A bigger issue than getting the code written would be getting the code
deployed. Note, SCRAM-hashed password storage does not require clients to
use SCRAM, as PLAIN is still possible (though expensive).

I know that some smaller (few hundred users) deployments have seen success
with evangelism (just describing the issue and asking users to upgrade
apparently works well). A related issue is users being stuck on older
client versions because of using distro provided packages. Particularly
users who like LTS releases.

--
Waqas Hussain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20141219/f08a175a/attachment-0001.html>


More information about the Operators mailing list