[Psi-devel] account defaults don't work for google talk
Maciek Niedzielski
machekku at uaznia.net
Thu Mar 1 13:33:36 PST 2007
Remko Tronçon wrote:
>> GOOGLE-TOKEN doesn't give us anything security wise. The api is
>> plaintext over SSL. So we can use SASL PLAIN directly, nothing
>> gained by going over https, only more possibility to get a SSL
>> cert checking wrong.
>
> GOOGLE-TOKEN never sends your username or password over the
> connection. It gets a token out of band via https (which is secured
> using certified certificates), and uses this token to authenticate. So
> comparing it with PLAIN is not really correct AFAIK.
If I pretend to be Google's XMPP server, and you use PLAIN, I get your
password. If I pretend to be Google's HTTPS server and you use
X-GOOGLE-TOKEN, I get your password.
Risk is the same, you just need to attack from a different side.
--
Maciek
xmpp:machekku at uaznia.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.affinix.com/pipermail/psi-devel-affinix.com/attachments/20070301/8980030a/attachment.pgp
More information about the psi-devel
mailing list