[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Google Talk s2s SSL configuration

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Google Talk s2s SSL configuration
From: Tim Brown <timb@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 1 Oct 2012 20:18:43 +0100

Hi all,

I'm reporting this publicly since Google have not responded to my private 
enquiries dating back to February this year (#963055119 according to their 
security@ auto responder).

So I run a XMPP server and by default I demand a 256-bit cipher for my 
dialback peers:

<host xmpp="yes" tls="256"/>

However with Talk, I vaguely recall needing to set it explicitly per host to 
accept ciphers with 128 bit keys before it would work.  Anyway, I recently 
rebuilt my server and on the new server I no longer appear to be able to 
negotiate TLS with Talk at all.  (I'm not sure if my old server could in its 
final days either however TLS negotiation still works for other s2s dialback 
peers - such as jabber.org).  To get my server to talk to Talk I needed to 
set:

<host name="gmail.com" xmpp="yes" tls="yes"/>

which is opportunistic and which results in the following in my logs:

20120212T11:00:41: [notice] (s2s.jabber.nth-dimension.org.uk): connected to 
gmail.com (unencrypted, no cert, auth=db, stream=preXMPP, compression=none)

For reference I have manually validated that traffic to Talk is unencrypted.

It's possible that this is a problem at my end, but as I said earlier TLS 
appears to work fine with other peers.

Can anyone else confirm if this is expected behavior?  If that is the case, 
does anyone know if there a reason why TLS is not currently supported?  

Obviously the implications if I'm correct are that any traffic between a user 
on 
a privately operated XMPP server and a user on Talk are open to man in the 
middle attacks even without the cooperation of Google.

Tim
PS I am aware of discussions on various XMPP lists around this issue, but 
noone seems to have come up with a satisfactory answer.
-- 
Tim Brown
<mailto:timb@xxxxxxxxxxxxxxxxxxxx>
<http://www.nth-dimension.org.uk/>

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [HTTPCS] Handshakes Professional 'frm_id' Remote SQL Injection Vulnerability
Next by Date: [Full-disclosure] Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities
Previous by thread: [Full-disclosure] [HTTPCS] Handshakes Professional 'frm_id' Remote SQL Injection Vulnerability
Next by thread: [Full-disclosure] Google Maps pseudonym disclosure vulnerability via Google Places reviews
Index(es):
- Date
- Thread