Friday, February 12, 2010

Warning on Facebook XMPP

I just finished looking at the new Facebook XMPP server.  I strongly recommend against using it. 

This is probably one of the worst implementations ever. The chat does not use SSL encryption unlike almost every other server.  Better yet, they decided to use an authentication scheme called Digest-MD5, which aside from having varying implementations and compatibility problems was  DEPRECATED by the IETF in January 2009 ( https://tools.ietf.org/html/draft-ietf-sasl-digest-to-historic ) because it  can be cracked. Facebook has just opened up a gaping hole in their security.  Someone at facebook needs to be fired.

The link above explains many of the problems with Digest-MD5 but this is the best one.
  8.  The cryptographic primitives in DIGEST-MD5 are not up to today's
      standards, in particular:

      A.  The MD5 hash is sufficiently weak to make a brute force
          attack on DIGEST-MD5 easy with common hardware.

      B.  Using the RC4 algorithm for the security layer without
          discarding the initial key stream output is prone to attack.





No comments:

Post a Comment

Note: Only a member of this blog may post a comment.