[Standards-JIG] Re: Re: JEP-0077: In-Band Registration

Tijl Houtbeckers thoutbeckers at splendo.com
Mon Jul 17 23:40:40 UTC 2006


On Tue, 18 Jul 2006 01:27:36 +0200, Ian Paterson  
<ian.paterson at clientside.co.uk> wrote:

>>> That way, even if a hacker gains
>>> control of my machine, they'll have only the hash -- which makes it
>>> trivial for the hacker to log into my Jabber account of course, but at
>>> least the hacker won't be able to discover the plaintext (which I might
>>> have used for other accounts or whatever).
>>
>> Again, this only works if you're the only one doing it. If all jabber  
>> servers do it, I can hack all your jabber acount. If email people start  
>> doing it, I can get your email. I think at one point in the edigest  
>> thread someone even came with the idea that by that time you can just  
>> start hashing it twice (!)
>
> It doesn't matter if all clients use exactly the same trick for all  
> servers as long as the JID (and "xmpp:") are used as a salt.

Yes, salting is part of the solution, as I already stated. If you read the  
edigest discussion I linked to, what you suggest here was also already  
proposed, and the advantages and disadvantages of this method were  
discussed as well.

In the end username/realm based salting has some clear advantages over  
others, and SASL/DIGEST-MD5 can support this already. I don't think it's  
worth it standardizing on an xmpp or even JID specific solution.



More information about the Standards mailing list