[jdev] Re: XEP-0070 in PHP

Norman Rasmussen norman at rasmussen.co.za
Thu Nov 16 04:04:20 CST 2006

On 11/15/06, Magnus Henoch <mange at freemail.hu> wrote:
> "Norman Rasmussen" <norman at rasmussen.co.za> writes:
> > I've been playing with OpenID and using the XEP-0070 example as a
> > source for logic.  It was very irritating to have a unique resource
> > all the time because Psi loads each one in a new window.
> Did you try the new XEP-0070 support from SVN?

SVN? What's the link?

I've been using http://www.dtek.chalmers.se/~henoch/jabberauth/index.txt

> > While thinking about what the resource can be set to I noticed a
> > security flaw:
> >
> > - If an attacker can guess what the resource is going to be, then you
> > have a problem.
> Is that a problem?  If so, the same should apply to a component
> sending authorization requests.
> As I understand it, XEP-0070 is based on the assumption that an XMPP
> address cannot be forged.  As long as that holds, I think there should
> be no problem.

Actually it's just because the 'from address' isn't checked in the
sample code.  Once a check for 'from address' is added it becomes far
more secure.

- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/

More information about the JDev mailing list