XSF: XMPP Standards Foundation

6 months ago • •

XSF: XMPP Standards Foundation
6 months ago • •

#XSF Announcement

Recently there was an incident via a so called #man_in_the_middle attack happened to an #XMPP #server.

To reduce the risk of such attacks in the future an early stage service called CertWatch has been published by our Community: https://certwatch.xmpp.net/

Many thanks to Stephen P. Weber (@singpolyma)!

Read two related blog posts:
http://blog.jmp.chat/b/certwatch/certwatch

https://snikket.org/blog/on-the-jabber-ru-mitm/

#Jabber #mitm #security #vulnerability #machine_in_the_middle #chat

On the jabber.ru MITM attack

Reports of a possible recent interception of the public XMPP service jabber.ru have raised a lot of questions for people about how the attack happened, and whether it could affect them too. We have some answers.

^snikket.org

This entry was edited (6 months ago)

Nicoco reshared this.

in reply to XSF: XMPP Standards Foundation

ruff

in reply to XSF: XMPP Standards Foundation • 6 months ago • •

seems it does not follow cname? or it does not tell if domain is ok already?

in reply to XSF: XMPP Standards Foundation

Ryuno-Ki

in reply to XSF: XMPP Standards Foundation • 6 months ago • •

An alternative form of MitM is Manipulator-in-the-middle.

I prefer it as it is (1) more accurate and (2) less focused on a gender („man“ being ambiguous in English here).

in reply to XSF: XMPP Standards Foundation

Colin Cogle 🔵

in reply to XSF: XMPP Standards Foundation • 6 months ago • •

It throws a 504 error if your c2s ports aren’t open to all IP addresses. But once I relaxed my server’s firewall, it was fine.

in reply to XSF: XMPP Standards Foundation

Klaus Alexander Seiﬆrup

in reply to XSF: XMPP Standards Foundation • 6 months ago • •

#XMPP #CertWatch said that »[My] settings are correct and no MITM was detected.« That's great.

It then continued with some #PubSub stuff and finally said »If you do not have a pubsub-capable client you can subscribe for text notifications by opening a chat with certwatch.xmpp.net and sending the message “subscribe <my xmpp server>”«.

My question is now: How do I open a chat with a hostname and not a JID?

My clients are #Gajim resp. #Conversations / #BlabberIM.

Anyone?

CertWatch: XMPP MITM Monitoring

^{certwatch.xmpp.net}

#xmpp #conversations #gajim #pubsub #blabberim #certwatch

in reply to Klaus Alexander Seiﬆrup

Daniel Gultsch

in reply to Klaus Alexander Seiﬆrup • 6 months ago • •

@kas exactly like you would open a chat with a contact. Or by clicking here: xmpp:certwatch.xmpp.net

Conversations shows a warning that this is a domain address but 'add anyway' works fine.

@Klaus Alexander Seiﬆrup

This entry was edited (6 months ago)

in reply to Daniel Gultsch

Debacle

in reply to Daniel Gultsch • 6 months ago • •

@daniel @kas @mdosch

Seems not to work with #Gajim by @gajim, but with #Dino by @dino.

#dino #gajim @Dino @Gajim @Klaus Alexander Seiﬆrup @Martin @Daniel Gultsch

in reply to Debacle

Gajim

in reply to Debacle • 6 months ago • •

@debacle @daniel @kas @mdosch @dino Gajim 1.8.2 will support this 👍

@Dino @Debacle @Klaus Alexander Seiﬆrup @Martin @Daniel Gultsch

⇧

XSF: XMPP Standards Foundation 6 months ago • •

XSF: XMPP Standards Foundation
6 months ago • •