[Security] S2S Leap of faith w/ SASL EXTERNAL

Jonathan Schleifer js-xmpp-security at webkeks.org
Fri Nov 19 08:42:58 CST 2010

Am 19.11.2010 um 00:22 schrieb Matthew Wild:

> In SSH at least you get notified (quite loudly) that the server
> fingerprint has changed.

Not only that: You have to type "yes" to confirm you verified the fingerprint on the first connection attempt. This is not really leap of faith, it's verifying the fingerprint. It's only leap of faith if the user is too lazy / dumb / uninformed to verify the fingerprint. It was never designed as leap of faith, it's just what many users made out of it. And it fails if some government wants to read your traffic and just MITMs every SSH connection you try to establish.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 801 bytes
Desc: Signierter Teil der Nachricht
URL: <http://mail.jabber.org/pipermail/security/attachments/20101119/6d673361/attachment.pgp>

More information about the Security mailing list