[Operators] Suspicion of Jabbim services being hacked
Cesar Alcalde
lambda512 at gmail.com
Sat Dec 20 12:51:38 UTC 2014
El 19/12/14 a las 22:55, Waqas Hussain escribió:
> On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith <kevin.smith at isode.com
> <mailto:kevin.smith at isode.com>> wrote:
>
> On 19 Dec 2014, at 19:36, Mathieu Pasquet <mathieui at mathieui.net
> <mailto:mathieui at mathieui.net>> wrote:
> >
> > On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote:
> >> On 19 Dec 2014 18:32, "Sam Whited" <sam at samwhited.com
> <mailto:sam at samwhited.com>> wrote:
> >>> On 12/19/2014 09:24 AM, Peter Viskup wrote:
> >>>> Hi all,
> >>>> thought it would be interesting to the audience of this
> mailinglist.
> >>>>
> >>>>
> http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
> >>>>
> >>>> Best regards,
> >>>>
> >>> Another great example of why you should ditch DIGEST-MD5 and
> store your
> >>> passwords as SCRAM bits.
> >>>
> >>> —Sam
> >>>
> >> It feels like we should do something like the encryption push,
> but for
> >> non-plaintext passwords.
> >
> > Do we have any statistics (e.g. on jabber.org
> <http://jabber.org>) about what proportion of
> > clients do not support any other mechanisms than PLAIN and
> DIGEST-MD5?
> > (though yes, PLAIN works well with hashed passwords, but should
> still be
> > avoided whenever possible)
> >
> > That would be enlightening.
>
> While I can’t say anything about clients not supporting stuff,
> obviously, clients choosing DIGEST are four times more numerous
> than clients choosing SCRAM, six times more numerous than those
> choosing PLAIN, and a small number do 78 auth and CRAM-MD5.
>
> /K
>
>
> Thanks Kev. How hard would it be to get metrics on clients and client
> versions (either overall, or DIGEST-MD5 specific)?
>
> I expect only a handful of clients are likely responsible for 90% of
> the user base. Depending on actual metrics, we could conceivably
> arrange hackathons, bounties and general evangelism.
>
> A bigger issue than getting the code written would be getting the code
> deployed. Note, SCRAM-hashed password storage does not require clients
> to use SCRAM, as PLAIN is still possible (though expensive).
>
> I know that some smaller (few hundred users) deployments have seen
> success with evangelism (just describing the issue and asking users to
> upgrade apparently works well). A related issue is users being stuck
> on older client versions because of using distro provided packages.
> Particularly users who like LTS releases.
>
> --
> Waqas Hussain
>
Some stats for JabberES.org, with about half of online users than on
peak hours
psi/psi+ 84 (I think that no released version of Psi supports SCRAM,
only Psi+ since 2013)
0.16.xxx - 17 (Psi+)
0.15 - 38
0.14 - 19
0.12 - 2
0.11 - 1
0.10 - 6
0.9.3 - 1
pidgin 82 (SCRAM added in 2.7.6 released in 11/21/2010)
2.10.x - 80
2.7.5 - 1
2.7.1 - 1
gajim 21 (SCRAM added in 0.14 02 September 2010)
0.16 - 4
0.15.x - 8
0.14.x - 3
0.13.x - 3
0.12.x - 3
pandion 4 ( SCRAM added in 2.6.106 22nd April 2010)
2.6.106 - 2
2.5 - 2
miranda 6 (SCRAM added in December 2010)
0.10.24 - 1
0.10.23 - 1
0.10.22 - 2
0.10.18 - 1
0.94.2.3876 - 1 (Miranda NG)
unknown 8 no idea if they support SCRAM
Based on QXmpp - 2
yaxim - 1
jTalk - 1
irssi-xmpp - 1
imagent - 1
Jabify - 1
BayanICQ - 1
bitlbee 6 (no idea if supports SCRAM)
3.2.x - 6
telepathy-gabble 2 (support since 0.9.13)
0.18 - 2
adium 1
1.5.10 (libpurple 2.10.9) - 1
trillian 1 (no idea if supports SCRAM)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20141220/689190af/attachment.html>
More information about the Operators
mailing list