[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
thoutbeckers at splendo.com
Tue May 27 17:18:32 UTC 2003
Casey Crabb <crabbkw at nafai.dyndns.org> wrote on 27-5-2003 19:12:22:
>I don't think this is any more secure than just sha1(StreamID +
>password). What happens is that sha1(password) is
>At some point sha1(password) has to travel over the line; at this
>point it can be sniffed. Or, if you have access to the server's spool
>you can just read it out of there.
>Given that you know sha1(password):
>You can't just login using a random client now, but writing a custom
>one to use the known sha1(password) is not difficult.
Well, then maybe we should send the sha1 of the sha1 of the sha1. ;)
>Does this make sense; am I missing something?
I don't you're missing something there, I was just typing the same kind
of reply. The only thing "enhanced" about it, is that is you use the
same password outside of this account for different things you can't
steal it anymore. Unless ofcourse, that other application also uses the
same "enhanced" method, for example, another Jabber account.
Software Engineer @ Splendo
More information about the Standards