This is probably one of the worst implementations ever. The chat does not use SSL encryption unlike almost every other server. Better yet, they decided to use an authentication scheme called Digest-MD5, which aside from having varying implementations and compatibility problems was DEPRECATED by the IETF in January 2009 ( https://tools.ietf.org/html/draft-ietf-sasl-digest-to-historic ) because it can be cracked. Facebook has just opened up a gaping hole in their security. Someone at facebook needs to be fired.
The link above explains many of the problems with Digest-MD5 but this is the best one.
8. The cryptographic primitives in DIGEST-MD5 are not up to today's
standards, in particular:
A. The MD5 hash is sufficiently weak to make a brute force
attack on DIGEST-MD5 easy with common hardware.
B. Using the RC4 algorithm for the security layer without
discarding the initial key stream output is prone to attack.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.