[Standards] Re: [jdev] XEP-0115: Entity Capabilities
Ian Paterson
ian.paterson at clientside.co.uk
Wed Jul 4 05:35:54 CDT 2007
Dave Cridland wrote:
> The hard part remains the timing issue - in order to have any value,
> you'd need to pollute the target clients capability cache prior to it
> discovering the real capabilities, and that's an extraordinarily short
> time window.
It's not short if the attacker discovers the hash value of early "betas"
of a new version of a popular client. This approach typically would
allow a few months to find an appropriate collision (using a bot net?).
Once found, the attacker would polute users' caches and then wait for
the users to upgrade to the final released version of the client.
> FWIW, I lean heavily toward pre-defined sets, as I think that "good
> clients" gain in both security and efficiency, whereas "old clients"
> are unaffected.
Yes, the XEP could mention the possibility of "pre-defined sets" in the
implementation issues section.
Of course clients can ship with pre-defined sets even if we depricate
'ext'. IMHO, 'ext' offers only marginal improvements to pre-defined
security, network traffic and cache storage space. Eliminating 'ext'
allows us to significantly simplify client logic.
- Ian
More information about the Standards
mailing list