XMPPloit explained - Written by barund @ friday 07 august 2020, 04:10

https://tanguy.ortolo.eu/blog/article69/xmpploit-explained en a blog about Debian and self-hosting Fri, 07 Aug 2020 04:10:00 +0000 PluXml XMPPloit explained - Written by barund @ friday 07 august 2020, 04:10 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1596773437-1 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1596773437-1 <h1>Nice information</h1> Fri, 07 Aug 2020 04:10:00 +0000 barund XMPPloit explained - Written by livy @ friday 03 august 2018, 14:42 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1533307350-1 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1533307350-1 I have created a TCP socket which replies to the STARTTLS request from server as a TLS negotiation. However, the negotiation fails with "bad packet" (I am using the .NET AuthenticateAsClient()method). The same script works when auth over 443, however, the "bad packet" only occurs when attempting to reply to the SERVER HELLO : REQUEST CERTIFICATE....Any suggestions on what "certificate" the XMPP server is looking for over port 5222? Again, the certificate I am using successfully authenticates and negotiates TLS when over port 443... Fri, 03 Aug 2018 14:42:00 +0000 livy XMPPloit explained - Written by mirabilos @ monday 03 september 2012, 15:13 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346685231-1 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346685231-1 Right #1 – just use port 5223 and it works. This is also important for firewalls (packet filters): so, people can *know* that there’s no way to not encrypt. Mon, 03 Sep 2012 15:13:00 +0000 mirabilos XMPPloit explained - Written by Tanguy @ monday 03 september 2012, 08:17 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346660236-1 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346660236-1 @Jan Hudec : Yes, HSTS requires a trusted first connection, so it is not a complete solution indeed. About subjectAltName, I must object: this is quite used, and very well supported but it is has major drawbacks (when you add a new domain name, you must regenerate the certificate for everything you already have), as opposed to SNI which is very flexible but not supported by antique systems such as Windows XP's crypto library. Mon, 03 Sep 2012 08:17:00 +0000 Tanguy XMPPloit explained - Written by Jan Hudec @ monday 03 september 2012, 07:02 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346655724-1 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346655724-1 The problem with HSTS of course is that the MITM can simply delete the header. If the client should refuse to continue if it ever saw that header for given URL and does not see it this time, but some hole remains open. @Mika: It is actually possible to create one certificate that is valid for multiple hosts using alternate names, so you can have virtual hosts with https. It may not work with some buggy clients though as it's rarely used and thus untested. Mon, 03 Sep 2012 07:02:00 +0000 Jan Hudec XMPPloit explained - Written by Antonio @ sunday 02 september 2012, 13:04 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346591048-1 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346591048-1 @Mika: Check out the TLS SNI extension. @Tanguy: Thank you for bringing attention to the insecure defaults of some clients. However, the choice of name for this tool is really unfortunate. It's not exploiting the protocol, and it scared me (and I assume others as well) needlessly when I read this headline. For the record, Psi+ defaults are Encrypt connection: When available Allow plaintext authentication: Over encrypted connection which, when attacked by this/similar tools will protect your password (by forcing DIGEST-MD5/Kerberos I guess), but the rest of your communication will be MITMed just fine. Sun, 02 Sep 2012 13:04:00 +0000 Antonio XMPPloit explained - Written by Mika @ saturday 01 september 2012, 19:24 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346527489-1 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346527489-1 @Anonymous: No! Do require STARTTLS! Port+IP-based SSL is so horrible, because you can't negotiate anything. The server as well as the client can only ever offer one certificate per IP, which is a pain. It's the reason why you can't use VirtualHosts together with https today, which requires massive amounts (one per hostname) of IPs just to serve different domains from one server. @the problem: Additionally, pidgin for example has the option to actually require encryption and by default does not allow authentication to happen via plain text. Which of course degrades this man-in-the-middle attack to a simple denial of service attack - if you can become the man in the middle, you can stop pidgin from connecting. Duh. Sat, 01 Sep 2012 19:24:00 +0000 Mika XMPPloit explained - Written by Anonymous @ saturday 01 september 2012, 18:08 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346522908-1 https://tanguy.ortolo.eu/blog/article69/xmpploit-explained/#c1346522908-1 That said, a note to the designers of any *new* protocol: STARTTLS is a bad idea, just require SSL and don't allow an unencrypted connection. Sat, 01 Sep 2012 18:08:00 +0000 Anonymous Tanguy Ortolo - XMPPloit explained - Comments