[Foundation] Last Minute JEP 78 Concerns

Justin Karneges justin-jdev at affinix.com
Thu May 22 15:15:19 CDT 2003


Sounds like an implementation issue.  Many protocols have this problem (like 
SMTP), but the server usually just fools the client by reporting all users as 
valid (or none as valid, depending on how it is used).

-Justin

On Thursday 22 May 2003 12:54 pm, Chris Mullins wrote:
> I implemented JEP 78 last night, and while doing so found an area that
> concerns me.
>
> The sending of the User Name during the Auth "discovery" process, and
> the resulting "User does not exist" error code, seems to invite a brute
> force attack aimed at enumerating the users on the server.
>
> IP Based Karma can eliminate some of this (but a large scale distributed
> attack would still work), but to have this JEP be secure then requires
> that Karma be implemented on the server, which introduces yet another
> dependence.
>
> Is this something worth fixing before anyone else implements the JEP?



More information about the Members mailing list