[Standards] XEP-0156 _xmppconnect is vulnerable to MITM

Travis Burtrum travis at burtrum.org
Wed Feb 9 23:29:59 UTC 2022

Hi all,

The long story short (is outside of DNSSEC) it's impossible to use 
_xmppconnect TXT records to securely connect to BOSH or WebSockets. 
Every client I've been able to find that supported this is vulnerable to 
trivial MITM (Man-In-The-Middle) via DNS spoofing.  If you have a client 
that uses it, switch to grabbing host-meta via HTTPS per [RFC-7395] 
immediately, maybe grab a CVE if you wish.

I propose we litter [XEP-0156] with warnings explaining why it's 
insecure and should never be done, and obsolete it, instead referring 
people to the single host-meta method that [RFC-7395] defines, which 
provides secure delegation when grabbed over HTTPS.

The long reason it's vulnerable is say you want to connect to 
example.org, _xmppconnect tells you to connect to wss://evil.com/xmpp, 
when you pass this to your websocket library, 100% of them will validate 
that the TLS certificate belongs to evil.com (NOT example.org, this is 
the bug) and proceed.  Now you *could maybe* hack your library to 
validate example.org instead, but in practice this isn't going to work 
because no web servers exist that will let you host evil.com but supply 
a certificate valid for example.org, in fact, this was later dubbed 
"domain fronting" and banned by google/amazon ( 
https://en.wikipedia.org/wiki/Domain_fronting ).

People unfamiliar with XMPP have asked why this doesn't affect regular 
SRV lookups, so that's worth explaining here too. That is because when 
you look up records for example.org, even if evil.com is returned, you 
validate it returns a certificate valid for example.org, and if it 
doesn't, you terminate the connection (and hopefully move to the next 
SRV record).

I'll be creating issues for all the clients I've found shortly, and will 
follow up with a list.



[RFC-7395]: https://datatracker.ietf.org/doc/html/rfc7395#section-4

[XEP-0156]: https://xmpp.org/extensions/xep-0156.html

More information about the Standards mailing list