[jdev] Re: XEP-0070 in PHP

Norman Rasmussen norman at rasmussen.co.za
Wed Nov 15 09:52:02 CST 2006

On 10/29/06, Magnus Henoch <mange at freemail.hu> wrote:
> "Norman Rasmussen" <norman at rasmussen.co.za> writes:
> > Psi doesn't like the comma in the resource name (I think it allows
> > multiple recipients seperated with a comma).  You could use date('c')
> > or date('U') instead,
> Changed.
> > or why not login with SASL plain and allow the server to generate a
> > random resource instead.
> >
> > Or better yet, why not login with SASL Anonymous, that way even Gajim
> > will work :-)
> Yes, I would do that if class.jabber.php supported SASL ;)

I've been playing with OpenID and using the XEP-0070 example as a
source for logic.  It was very irritating to have a unique resource
all the time because Psi loads each one in a new window.  While
thinking about what the resource can be set to I noticed a security

 - If an attacker can guess what the resource is going to be, then you
have a problem.

This is a big problem with using time based resources.  In fact the
default class.jabber way is to hash the time and remote addr, which is
just as weak, because the attacker can guess both.

I guess the one 'constant' safe way would be to take a salted hash of
the jid.  That way the resource is constant per jid, and the attacker
can't duplicate it.

- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/

More information about the JDev mailing list