[Psi-devel] account defaults don't work for google talk
textshell-I1QKlO at neutronstar.dyndns.org
textshell-I1QKlO at neutronstar.dyndns.org
Sat Mar 3 02:37:45 PST 2007
On Sat, Mar 03, 2007 at 07:54:16PM +1100, Trejkaz wrote:
> On Friday 02 March 2007 08:23, textshell-I1QKlO at neutronstar.dyndns.org wrote:
> > It enables a malicous server to steal the password.
>
> A malicious server wouldn't *need* to. If it's already managed to fake the
> SSL certificate and the DNS entry, I think it's safe to assume it could just
> pretend to be that user without the user actually needing to login.
>
No, i don't think so. Fakeing DNS in the LAN the client is is very much
easier than fakeing DNS globally (use a rough DHCP server, local poisioning
the local DNS cache/forwarder is compromised, etc). The SSL cert is a bigger
Problem, but there have been cases of pishing sites with valid looking
certs, maybe XMPP is a bit safer than https because the user has a fixed
server setup in the account settings, but i think it's still possible.
(same cert for http and xmpp, and some php/cgi bug that allows the secret
key to be stolen? something like that)
And nobody knows what the same password might be used for. We all know
that not so paranoid users don't use different passwords for every thing,
and single sign on is getting more popular, so the xmpp password might be
good for a VPN or other more important company services.
- Martin
More information about the psi-devel
mailing list