[jdev] XEP-0115: Entity Capabilities

Sergei Golovan sgolovan at nes.ru
Wed Jun 27 01:31:47 CDT 2007

On 6/27/07, Joe Hildebrand <hildjj at gmail.com> wrote:
> On Jun 27, 2007, at 5:53 AM, Sergei Golovan wrote:
> > I would consider this XEP dangerous and wouldn't like to implement it
> > in Tkabber. It's too easy for malicious user to flood all contacts
> > (and not only in his roster) by false information about all clients
> > and versions he wants.
> >
> > I think that one never should apply info received from some user to
> > other users.
> Please bring this up on the standards list if you want to talk about
> it again, but this point has been beaten to death, I think.

And the only result of these discussions is a really small note in
'Security consideration' section. Which really does cover a small
portion of possible security concerns. I could imagine for example an
attack on future software versions (where the victim can't check the
correctness of capabilities because there's no other sources of

> You can always just query each user independently if you like; you

I think that the XEP must not recommend to cache capabilities based
only on reported software name and version. The more acceptable index
is a tuple {jid, client name, client version}.

> only need to check it against the cache to look for disagreement, not
> cache each one separately.

See the idea of an attack above.

Sergei Golovan

More information about the JDev mailing list