[Operators] Suspicion of Jabbim services being hacked

Mathias Ertl mati at fsinf.at
Mon Dec 29 16:38:59 UTC 2014


On 12/19/2014 08:36 PM, Mathieu Pasquet wrote:
> Do we have any statistics (e.g. on jabber.org) about what proportion of
> clients do not support any other mechanisms than PLAIN and DIGEST-MD5?
> (though yes, PLAIN works well with hashed passwords, but should still be
> avoided whenever possible)
> That would be enlightening.

ejabberd supports an option "disable_sasl_mechanisms" in 14.12. We used
it to disable digest-md5 to mimics a switch to SCRAM-SHA1 before we made
the actual switch.

We have received a single report of a user not being able to connect,
but he didn't reply after us asking what client he used. We have seen no
observable drop in service usage.

greetings, Mati

twitter: @mathiasertl | xing: Mathias Ertl | email: mati at er.tl
I only read plain-text mail!  I prefer signed/encrypted mail!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6044 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20141229/87961413/attachment.bin>

More information about the Operators mailing list