#1531 Support TLS-SRP

Reporter Soni L.
Owner Nobody
Created
Updated
Stars ★ (1)
Tags
  • Type-Enhancement
  • Status-New
  • Priority-Medium
  1. Soni L. on

    Description of feature: See IETF RFC 5054 Motivation: (Why?) Sending passwords to a server is always fun because: - the server could be compromised - the server could be mitm'd - the server could be hijacked (e.g. DNS poisoning, etc) - the server could be the wrong server (e.g. phishing) - the server could be logging passwords in plaintext (so common that even twitter had to nuke sessions and force password resets over this) TLS-SRP mitigates some of those problems: - it encourages the use of a strongly-hashed password (you can technically store the password in plaintext in the DB but please don't) - it authenticates the server to the client (prevents mitm, hijack, phishing) - it doesn't provide a password to the server (prevents logging, phishing) It goes through SASL EXTERNAL, obviously.

New comment

Not published. Used for spam prevention and optional update notifications.