[Psi-devel] account defaults don't work for google talk
Norman Rasmussen
norman at rasmussen.co.za
Fri Mar 2 03:14:05 PST 2007
On 3/1/07, Maciek Niedzielski <machekku at uaznia.net> wrote:
> If I pretend to be Google's XMPP server, and you use PLAIN, I get your
> password. If I pretend to be Google's HTTPS server and you use
> X-GOOGLE-TOKEN, I get your password.
>
> Risk is the same, you just need to attack from a different side.
You'd still need to have a certificate signed by a recognised CA to
'pretend' you were either of Google's servers. Getting one of those
is pretty hard.
The HTTPS channel is really just a half-backed two factor authentication scheme.
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the psi-devel
mailing list