Full Disclosure mailing list archives
Re: talk.google.com
From: James Tucker <jftucker () gmail com>
Date: Fri, 26 Aug 2005 11:21:17 +0100
Sorry, I know this is continuing off topic, but here's a log with some description to clear up the statement below. Note, every line beginning + is client outbound data, and everything begging - is client inbound data: + <?xml version="1.0"?><stream:stream to="gmail.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" xml:lang="en" version="1.0"> - <?xml version="1.0" encoding="UTF-8"?> - <stream:stream from="gmail.com" id="<!--EDIT: DATA REMOVED-->" version="1.0" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client"> - <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>X-GOOGLE-TOKEN</mechanism></mechanisms></stream:features> Here, the google client would start authenticating, however, my client doesn't know about the X-GOOGLE-TOKEN mechanism. My client doesn't do strict checking of the mechanisms here, and requests a new auth session anyway. + <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" /> - <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/> + <?xml version="1.0"?><stream:stream to="gmail.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0"> - <?xml version="1.0" encoding="UTF-8"?> - <stream:stream from="gmail.com" id="<!--EDIT: DATA REMOVED-->" version="1.0" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client"> - <stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>X-GOOGLE-TOKEN</mechanism></mechanisms></stream:features> Google now offer us a PLAIN mechanism in the second instance. + <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN"><!--EDIT: DATA REMOVED--></auth> - <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>And we're authed, using PLAIN. This string is short, and not entirely human readable, but the mechanism is well documented. The security implications of this are simple, the Google Talk client uses a more secure authentication method, period.
+ <?xml version="1.0"?><stream:stream to="gmail.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0"> - <?xml version="1.0" encoding="UTF-8"?> - <stream:stream from="gmail.com" id="<!--EDIT: DATA REMOVED-->" version="1.0" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client"> - <stream:features><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/><session xmlns="urn:ietf:params:xml:ns:xmpp-session"/></stream:features> + <iq type="set"><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"><resource>GoogleIM</resource></bind></iq> I left the last few lines, really for the last one in particular. Notice the resource, I have seen many people getting this wrong. On that note, also notice the values of attributes 'to'. Your username is your google account username, not your gmail address, your JID however, is your gmail address. The other problem experienced is if your client will not disable SRV DNS lookups, records for which are not available for the google talk service. And that's it for this topic. Cheers. Andre Protas wrote:
The Server does not accept plain. Actually, some clients were unable to connect to the jabber server b/c of that. Gajim was one. Anyone get a perl/python jabber client connecting to talk.google.com properly? Signed, Andre Derek Protas Security Researcher eEye Digital Security aprotas eeye com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: talk.google.com, (continued)
- Re: talk.google.com Technica Forensis (Aug 25)
- Re: talk.google.com Justin Allen (Aug 25)
- Message not available
- Re: talk.google.com Justin Allen (Aug 25)
- Re: talk.google.com Daniel Margolis (Aug 25)
- Re: talk.google.com James Tucker (Aug 25)
- Re: talk.google.com James Tucker (Aug 26)
- Re: talk.google.com Ill will (Aug 26)
- Re: talk.google.com n3td3v (Aug 27)
- Re: talk.google.com Robert Wesley McGrew (Aug 27)
- Re: talk.google.com n3td3v (Aug 27)
- RE: talk.google.com y0himba (Aug 27)
- Re: talk.google.com Robert Wesley McGrew (Aug 27)