[Operators] Suspicion of Jabbim services being hacked

Phil Pennock xmpp-operators+phil at spodhuis.org
Sat Dec 20 09:15:59 UTC 2014


On 2014-12-19 at 21:43 -0500, Sam Whited wrote:
> Sounds good; step two is to convince TLS stack maintainers to actually
> give us access to the client final message so we can do `tls-uniqe'
> channel binding without resorting to bundling our own TLS stacks
> (seriously; everything uses tls-unique for channel binding, and it seems
> like very few stacks actually give you access to the info you need for it).

Probably because the Triple Handshakes Considered Harmful paper from
earlier this year showed that using only the final message for channel
binding was broken and vulnerable, so there are IETF drafts for fixes to
TLS to provide something which actually offers a non-forgeable identity
for channel binding but nothing concrete yet (when I last checked, which
was a little while back now).

https://secure-resumption.com/

-Phil


More information about the Operators mailing list