This service allows you to check your XMPP server's #TLS setup, helps you publicly store the hash of the public key in a secure way, and then monitors your server to make sure that connections to it get the same public key that you have configured and sends notifications if anything changes (which may indicate a #mitm attack on your service).
IOW, you open an XMPP connection, signal in an XMPP-specific way that you want to use TLS, the server confirms it, and only then you run a TLS handshake.
@jabberati@feld
they attacker could try send valid XMPP stanzas unencrypted, together with the starttls and a buggy server may interpret them as part of the encrypted and authenticated connection after starttls.
If a server has a bug like that, an attacker in a MITM position can inject stanzas into client's session without actually MITMing the TLS.
Add comment