[Foundation] Last Minute JEP 78 Concerns
Peter Saint-Andre
stpeter at jabber.org
Thu May 22 15:12:11 CDT 2003
I believe that we receive the same error whether or not the user exists,
but I see your point about receiving error in response to the IQ-get,
and I agree we need to fix that.
Peter
On Thu, May 22, 2003 at 12:54:25PM -0700, Chris Mullins wrote:
>
> I implemented JEP 78 last night, and while doing so found an area that
> concerns me.
>
> The sending of the User Name during the Auth "discovery" process, and
> the resulting "User does not exist" error code, seems to invite a brute
> force attack aimed at enumerating the users on the server.
>
> IP Based Karma can eliminate some of this (but a large scale distributed
> attack would still work), but to have this JEP be secure then requires
> that Karma be implemented on the server, which introduces yet another
> dependence.
>
> Is this something worth fixing before anyone else implements the JEP?
>
> --
> Chris Mullins
>
> _______________________________________________
> Members mailing list
> Members at jabber.org
> http://mailman.jabber.org/listinfo/members
More information about the Members
mailing list