2009/9/15 Simon Josefsson <simon at josefsson.org>: >> In that case definitively yes, since there many case in which I don't >> need TLS, but at least i want to protect my credentials. > > You are still vulnerable to active attackers that hijack the connection > after you have authenticated yourself. But I agree in some situations > that is an acceptable risk. Sure, the rationale is minimizing damage: most the times I can survive an hijacked session, while a stolen password could make me cry. > To use SCRAM (or CRAM-MD5 or DIGEST-MD5) you need a secure channel. If > you used DIGEST-MD5 with security layers you will need SCRAM+TLS > instead. SCRAM does not provide any SASL security layers. I hope you > weren't using DIGEST-MD5 security layers, because they weren't that > good... Well indeed that's the only option offered by most servers if you can't run TLS on the client (for some mobiles it's too heavy), and since users can choose any server.. -- Fabio Forno, Ph.D. Bluendo srl http://www.bluendo.com jabber id: ff at jabber.bluendo.com
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.