[Operators] Suspicion of Jabbim services being hacked

Cesar Alcalde lambda512 at gmail.com
Sat Dec 20 12:51:38 UTC 2014


El 19/12/14 a las 22:55, Waqas Hussain escribió:
> On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith <kevin.smith at isode.com 
> <mailto:kevin.smith at isode.com>> wrote:
>
>     On 19 Dec 2014, at 19:36, Mathieu Pasquet <mathieui at mathieui.net
>     <mailto:mathieui at mathieui.net>> wrote:
>     >
>     > On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote:
>     >> On 19 Dec 2014 18:32, "Sam Whited" <sam at samwhited.com
>     <mailto:sam at samwhited.com>> wrote:
>     >>> On 12/19/2014 09:24 AM, Peter Viskup wrote:
>     >>>> Hi all,
>     >>>> thought it would be interesting to the audience of this
>     mailinglist.
>     >>>>
>     >>>>
>     http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
>     >>>>
>     >>>> Best regards,
>     >>>>
>     >>> Another great example of why you should ditch DIGEST-MD5 and
>     store your
>     >>> passwords as SCRAM bits.
>     >>>
>     >>> —Sam
>     >>>
>     >> It feels like we should do something like the encryption push,
>     but for
>     >> non-plaintext passwords.
>     >
>     > Do we have any statistics (e.g. on jabber.org
>     <http://jabber.org>) about what proportion of
>     > clients do not support any other mechanisms than PLAIN and
>     DIGEST-MD5?
>     > (though yes, PLAIN works well with hashed passwords, but should
>     still be
>     > avoided whenever possible)
>     >
>     > That would be enlightening.
>
>     While I can’t say anything about clients not supporting stuff,
>     obviously, clients choosing DIGEST are four times more numerous
>     than clients choosing SCRAM, six times more numerous than those
>     choosing PLAIN, and a small number do 78 auth and CRAM-MD5.
>
>     /K
>
>
> Thanks Kev. How hard would it be to get metrics on clients and client 
> versions (either overall, or DIGEST-MD5 specific)?
>
> I expect only a handful of clients are likely responsible for 90% of 
> the user base. Depending on actual metrics, we could conceivably 
> arrange hackathons, bounties and general evangelism.
>
> A bigger issue than getting the code written would be getting the code 
> deployed. Note, SCRAM-hashed password storage does not require clients 
> to use SCRAM, as PLAIN is still possible (though expensive).
>
> I know that some smaller (few hundred users) deployments have seen 
> success with evangelism (just describing the issue and asking users to 
> upgrade apparently works well). A related issue is users being stuck 
> on older client versions because of using distro provided packages. 
> Particularly users who like LTS releases.
>
> --
> Waqas Hussain
>


Some stats for JabberES.org, with about half of online users than on 
peak hours

psi/psi+     84 (I think that no released version of Psi supports SCRAM, 
only Psi+ since 2013)
  0.16.xxx - 17 (Psi+)
  0.15 - 38
  0.14 - 19
  0.12 - 2
  0.11 - 1
  0.10 - 6
  0.9.3 - 1

pidgin  82 (SCRAM added in 2.7.6 released in 11/21/2010)
  2.10.x - 80
  2.7.5 - 1
  2.7.1 - 1
gajim   21 (SCRAM added in 0.14 02 September 2010)
  0.16 - 4
  0.15.x - 8
  0.14.x - 3
  0.13.x - 3
  0.12.x - 3
pandion 4 ( SCRAM added in  2.6.106 22nd April 2010)
  2.6.106 - 2
  2.5 - 2
miranda 6 (SCRAM added in December 2010)
  0.10.24 - 1
  0.10.23 - 1
  0.10.22 - 2
  0.10.18 - 1
  0.94.2.3876 - 1 (Miranda NG)
unknown 8 no idea if they support SCRAM
  Based on QXmpp - 2
  yaxim - 1
  jTalk - 1
  irssi-xmpp - 1
  imagent - 1
  Jabify - 1
  BayanICQ - 1
bitlbee 6 (no idea if supports SCRAM)
  3.2.x - 6
telepathy-gabble      2 (support since 0.9.13)
  0.18 - 2
adium   1
  1.5.10 (libpurple 2.10.9) - 1
trillian        1 (no idea if supports SCRAM)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20141220/689190af/attachment.html>


More information about the Operators mailing list