Comments on: Tutorial/HowTo: ejabberd + jwchat + apache2 on Ubuntu or Debian

By: Florian Haas

Florian Haas — Wed, 24 Sep 2008 05:55:54 +0000

Hi Dave,
thank you for your comment; i just fixed the Typo.

By: dave cormier

dave cormier — Tue, 23 Sep 2008 23:47:53 +0000

Thanks for the tutorial… crafty little typo there in the apache2 settings… see wjchat for jwchat.

Thanks for the help!

By: zeank

zeank — Thu, 04 Sep 2008 06:57:10 +0000

Hi, thanks for pinging me offsite – done wisely!

AFAIK SASL+DIGEST-MD5 have been marked deprected not because of possible cracks of the underlying algorithm but because of being too complicated and generic which leads to missunderstood, bad and incompatible implementations which are inturn a matter of security concerns.
With DIGEST-MD5 your using pretty large strings to be hashed. Brute-force attacks only work for reasonable small strings (some <10 characters or so). But I might by wrong here.
Nevertheless, if you can it’s ALWAYS better to have SSL encrypting for the whole stream.

By: Florian Haas

Florian Haas — Wed, 03 Sep 2008 17:12:16 +0000

Zeank, your are right. I’m sorry for posting wrong information.
However, DIGEST-MD5 is on the verge of being deprecated because of the serious security limitations(see http://tools.ietf.org/html/dra.....storic-00). Current Hard- and Software makes brute-force attacks feasible.

By: zeank

zeank — Wed, 03 Sep 2008 15:56:16 +0000

Accidentially stumpled upon this:

It is important to note that the username and password are transmited as plaintext

That’s not true. JWChat (or JSJaC to be precisely) don’t transmit passwords as plaintext if not otherwise told so. Default is to use Digest auth (DIGEST-MD5 if using SASL) for authentication if it’s available by the server.