[Operators] SSLv3 is out.

Jonas Wielicki xmpp-operators at sotecware.net
Wed Oct 15 07:47:23 UTC 2014


I’m not confident that this attack is (like BEAST and CRIME) relevant
for XMPP.

It requires that the attacker is able to induce several SSL connections,
with the offset of the data to be attacked (which must be the same for
all attempts) and the size of the packet under the attackers precise
control.

I don’t know of a scenario in XMPP C2S, nor can I imagine one for XMPP
S2S, where this would be plausibly possible. So I think it is not
relevant for XMPP (also, the usual opportunistic encryption argument for
s2s applies).

Also, do XMPP S2S connections the “downgrade dance” mentioned in the paper?

regards,
jwi

On 15.10.2014 01:02, Skhaen wrote:
> So, i will try again, can we have now a critical warning for SSLv3 on
> xmpp.net?
> 
> ----> This POODLE bites: exploiting the SSL 3.0 fallback :
> html :
> http://googleonlinesecurity.blogspot.ru/2014/10/this-poodle-bites-exploiting-ssl-30.html
> pdf : https://www.openssl.org/~bodo/ssl-poodle.pdf
> 
> Thanks.
> 
> Skhaen
> 



More information about the Operators mailing list