[Standards] RFC 3920, 10.2/10.3: subdomain routing rules

Dave Cridland dave at cridland.net
Thu Mar 29 14:29:18 UTC 2007


On Thu Mar 29 14:13:15 2007, Matthias Wimmer wrote:
> Dave Cridland schrieb:
>> DNS-SEC comes in, of course, because otherwise there's an attack 
>> where the attacker sets up a legimimate server for domain A, 
>> ensures a channel is active to it by sending the target server 
>> stanzas for A, cons it into reusing the channel for some other 
>> domain B by spoofing DNS, and maintains that channel as well by 
>> frequent stanza sending to B. Then, the attacker has obtained all 
>> the legimate traffic to the domain B from the target server.
>> 
>> Does that clarify things?
> 
> "Yes ... but"
> 
> We are open to this type of attack at present anyway. XMPP s2s does 
> only authenticate the sending server of a connection - NOT the 
> receiving server.
> 
> 
Oh. TLS deployment is that bad?


> With dialback we are even not able to authenticate the receiving 
> server. With TLS+SASL a server could verify the certificate of the 
> receiving server, but AFAIK this is currently not done by our 
> implementations.

Well, with TLS+SASL, you can authenticate both ends. It gets quite 
amusing to do, because of the certificate authorities, but it is 
practical.

>  To enforce authentication of the receiving server we would have to 
> disable dialback and require trusted certificates.

The problem is you have to essentially mandate a list of CAs, as I 
understand things. Or, you can use leap-of-faith TLS in combination 
with dialback, and at the least heavily reduce the attack's practical 
benefit.

Leap-of-faith TLS is basically where you assume that the certificate 
is correct the first time, and you assume that a change - if the new 
certificate is still not verifiable - is a spoof. It's not perfect, 
but since people rarely want to intercept data from servers which 
have never been used before, it's quite practical.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list