[Foundation] Last Minute JEP 78 Concerns

Russell Davis rkdavis at burninghorse.com
Thu May 22 15:32:37 CDT 2003


it does need to be fixed as i could use a "known" incorrect password to
filter for the username and then once i have a valid one i can then run
through to get a password.

Russell

On Thu, 2003-05-22 at 16:12, Peter Saint-Andre wrote:
> I believe that we receive the same error whether or not the user exists,
> but I see your point about receiving error in response to the IQ-get,
> and I agree we need to fix that.
> 
> Peter
> 
> On Thu, May 22, 2003 at 12:54:25PM -0700, Chris Mullins wrote:
> > 
> > I implemented JEP 78 last night, and while doing so found an area that
> > concerns me.
> > 
> > The sending of the User Name during the Auth "discovery" process, and
> > the resulting "User does not exist" error code, seems to invite a brute
> > force attack aimed at enumerating the users on the server.
> > 
> > IP Based Karma can eliminate some of this (but a large scale distributed
> > attack would still work), but to have this JEP be secure then requires
> > that Karma be implemented on the server, which introduces yet another
> > dependence. 
> > 
> > Is this something worth fixing before anyone else implements the JEP? 
> > 
> > -- 
> > Chris Mullins
> > 
> > _______________________________________________
> > Members mailing list
> > Members at jabber.org
> > http://mailman.jabber.org/listinfo/members
> _______________________________________________
> Members mailing list
> Members at jabber.org
> http://mailman.jabber.org/listinfo/members




More information about the Members mailing list