[Psi-devel] account defaults don't work for google talk

Thu Mar 1 15:44:41 PST 2007

On Thu, Mar 01, 2007 at 06:14:06PM -0500, Hal Rottenberg wrote:
> On 3/1/07, textshell-I1QKlO at neutronstar.dyndns.org
> <textshell-I1QKlO at neutronstar.dyndns.org> wrote:
> > > I believe i recently added to that error message '(this may mean you
> > > need to enable plaintext authentication)', so that should at least
> > > help.
> > >
> > > > Can't this be negotiated?
> > >
> >
> > The point of disallowing plaintext login is security, so no it can't
> > do automatically the right thing.
> 
> Well I disagree with this only because you haven't addressed the
> question of if it is possible to automatically negotiate the best
> combination of security settings that will result in a successful
> connection to a new account 99.9% of the time (and 100% of the time to
> Gtalk since that's a huge user base).  I define successful to mean "I
> can chat once I've gone online".  A security warning prompt would be
> fine.  But aborting is not.
> 
> Sorry if that came out a bit stern, but I'm trying to straddle two
> diametrically opposite concerns and it's a bit challenging.  :)
> 

I think security is important, and we all know that users just click
away nag messages.
But maybe we can learn a bit from the opportunistic security models
like ssh uses.
The very first time a user logs in after the account is created in psi,
don't abort if the user needs to enable plaintext but show a warning
message and save the downgraded security setting.
On all following logins just about if the security of the first login
can't be setup.
As long as the first connection is not target of a man-in-the-middle
attack the security is as good as it can.
And as long as the server doesn't downgrade it's availible security and
correctly maintains it's certs (no serving expired cert etc) the user 
doesn't need to do a thing to get it right and the automatic abort 
happens if a man-in-the-middle attack is performed without a 
message box the user might just click away.

It's still a bit of a gamble, but i think it's reasonable save, as long
as the users don't setup their psi in hostile environments.

 - Martin

PS: We should really have a way for the user to see the cert of the current
    xmpp connection. AFAIK we don't have one currently.