[Standards] field report on authentication methods
sam at samwhited.com
Thu Aug 9 15:51:48 UTC 2018
This is great stuff, thanks Peter! I'd love it if we could use jabber.org more; it's easy to forget that we have a great source of data about the network at our fingertips.
Given how small the percentage of logins over CRAM-MD5 and XEP-0078 are, can we disable those? Anything under 10% feels worth killing to me.
On Thu, Aug 9, 2018, at 10:24, Peter Saint-Andre wrote:
> Out of curiosity, I recently looked at successful logins on jabber.org
> over a series of days (all over TLS, of course). The methods used were:
> SCRAM-SHA-1 46.68%
> DIGEST-MD5 38.65%
> SASL PLAIN 10.03%
> plaintext (XEP-0078) 3.97%
> CRAM-MD5 0.67%
> It's interesting that DIGEST-MD5 is still so widely used, despite
> interoperability problems over the years. And 4% use of XEP-0078
> indicates that there are still some really old clients out there (it's
> been almost 14 years since the publication of RFC 3920).
More information about the Standards