[Operators] Suspicion of Jabbim services being hacked

Dave Cridland dave at cridland.net
Fri Dec 19 23:22:19 UTC 2014


On 19 December 2014 at 22:55, Dave Cridland <dave at cridland.net> wrote:
>
>
> On 19 Dec 2014 22:12, "Waqas Hussain" <waqas20 at gmail.com> wrote:
> >
> > On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith <kevin.smith at isode.com>
> wrote:
> >>
> >> On 19 Dec 2014, at 19:36, Mathieu Pasquet <mathieui at mathieui.net>
> wrote:
> >> >
> >> > On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote:
> >> >> On 19 Dec 2014 18:32, "Sam Whited" <sam at samwhited.com> wrote:
> >> >>> On 12/19/2014 09:24 AM, Peter Viskup wrote:
> >> >>>> Hi all,
> >> >>>> thought it would be interesting to the audience of this
> mailinglist.
> >> >>>>
> >> >>>>
> http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
> >> >>>>
> >> >>>> Best regards,
> >> >>>>
> >> >>> Another great example of why you should ditch DIGEST-MD5 and store
> your
> >> >>> passwords as SCRAM bits.
> >> >>>
> >> >>> —Sam
> >> >>>
> >> >> It feels like we should do something like the encryption push, but
> for
> >> >> non-plaintext passwords.
> >> >
> >> > Do we have any statistics (e.g. on jabber.org) about what proportion
> of
> >> > clients do not support any other mechanisms than PLAIN and DIGEST-MD5?
> >> > (though yes, PLAIN works well with hashed passwords, but should still
> be
> >> > avoided whenever possible)
> >> >
> >> > That would be enlightening.
> >>
> >> While I can’t say anything about clients not supporting stuff,
> obviously, clients choosing DIGEST are four times more numerous than
> clients choosing SCRAM, six times more numerous than those choosing PLAIN,
> and a small number do 78 auth and CRAM-MD5.
> >>
> >> /K
> >
> >
> > Thanks Kev. How hard would it be to get metrics on clients and client
> versions (either overall, or DIGEST-MD5 specific)?
> >
>
> I don't know how many of the digest clients would fall back to plain, but
> I suppose we can find that out.
>
> In any case, I think I could write a component that would watch the logs
> and send version requests to the clients as they connect, sorting metrics
> in a database. I suspect it's easy enough for anyone to do, given the log
> format information.
>
> > I expect only a handful of clients are likely responsible for 90% of the
> user base. Depending on actual metrics, we could conceivably arrange
> hackathons, bounties and general evangelism.
> >
>
> Indeed.
>
> > A bigger issue than getting the code written would be getting the code
> deployed. Note, SCRAM-hashed password storage does not require clients to
> use SCRAM, as PLAIN is still possible (though expensive).
> >
> > I know that some smaller (few hundred users) deployments have seen
> success with evangelism (just describing the issue and asking users to
> upgrade apparently works well). A related issue is users being stuck on
> older client versions because of using distro provided packages.
> Particularly users who like LTS releases.
> >
>
> I suspect that users might be motivated quite well to encourage the
> distros to upgrade clients. The combination of old specification and
> plaintext passwords are easy concepts to get across. We have a board full
> of technical marketing types, a clear message, and in theory we can use
> MOTD based campaigns to ensure the message reaches users.
>

A clear message like this, perhaps:

http://wiki.xmpp.org/web/Plain_Stupid

(Yeah, everything needs a catchy name these days).

> > --
> > Waqas Hussain
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20141219/00ff9ba0/attachment.html>


More information about the Operators mailing list