[Standards] field report on authentication methods

Sam Whited sam at samwhited.com
Thu Aug 9 15:51:48 UTC 2018

This is great stuff, thanks Peter! I'd love it if we could use jabber.org more; it's easy to forget that we have a great source of data about the network at our fingertips.

Given how small the percentage of logins over CRAM-MD5 and XEP-0078 are, can we disable those? Anything under 10% feels worth killing to me.


On Thu, Aug 9, 2018, at 10:24, Peter Saint-Andre wrote:
> Out of curiosity, I recently looked at successful logins on jabber.org
> over a series of days (all over TLS, of course). The methods used were:
> SCRAM-SHA-1           46.68%
> DIGEST-MD5            38.65%
> SASL PLAIN            10.03%
> plaintext (XEP-0078)   3.97%
> CRAM-MD5               0.67%
> It's interesting that DIGEST-MD5 is still so widely used, despite
> interoperability problems over the years. And 4% use of XEP-0078
> indicates that there are still some really old clients out there (it's
> been almost 14 years since the publication of RFC 3920).

More information about the Standards mailing list