[Standards] Re: [jdev] XEP-0115: Entity Capabilities
Ian Paterson
ian.paterson at clientside.co.uk
Tue Jul 3 20:39:24 CDT 2007
Justin Karneges wrote:
> Apologies for not understanding this thread at all and just commenting out of
> nowhere, but what security is gained by using a hash in the caps protocol?
> If there is no security gained by using a hash (e.g. everyone has access to
> the raw data such that they can all calculate the same hash) then what
> difference does it make which algorithm is used?
>
What if the raw data is supplied by the attacker?
Imagine Eve wants to poison the caches of clients that haven't yet
received presence from a brand new release of Psi.
If it is easy to discover collisions for the hash used by Psi, then Eve
can send Psi's hash to a client and respond to its resulting disco
request with a false set of features that she generated earlier. The
false set would probably include a single unrecognizable feature whose
'var' value could be manipulated to ensure the set has the correct hash
value, for example:
<feature var='6e4G$h#$vFsgn*F4 at Rie$EGd#$gg73S'/>.
- Ian
More information about the Standards
mailing list