[Foundation] Last Minute JEP 78 Concerns

Peter Saint-Andre stpeter at jabber.org
Thu May 22 15:12:11 CDT 2003


I believe that we receive the same error whether or not the user exists,
but I see your point about receiving error in response to the IQ-get,
and I agree we need to fix that.

Peter

On Thu, May 22, 2003 at 12:54:25PM -0700, Chris Mullins wrote:
> 
> I implemented JEP 78 last night, and while doing so found an area that
> concerns me.
> 
> The sending of the User Name during the Auth "discovery" process, and
> the resulting "User does not exist" error code, seems to invite a brute
> force attack aimed at enumerating the users on the server.
> 
> IP Based Karma can eliminate some of this (but a large scale distributed
> attack would still work), but to have this JEP be secure then requires
> that Karma be implemented on the server, which introduces yet another
> dependence. 
> 
> Is this something worth fixing before anyone else implements the JEP? 
> 
> -- 
> Chris Mullins
> 
> _______________________________________________
> Members mailing list
> Members at jabber.org
> http://mailman.jabber.org/listinfo/members



More information about the Members mailing list