[Foundation] Last Minute JEP 78 Concerns

Peter Saint-Andre stpeter at jabber.org
Fri May 23 10:15:34 CDT 2003

I sent my reply to standards-jig at jabber.org and I think that's the best
place to discuss it.


On Thu, May 22, 2003 at 01:15:19PM -0700, Justin Karneges wrote:
> Sounds like an implementation issue.  Many protocols have this problem (like 
> SMTP), but the server usually just fools the client by reporting all users as 
> valid (or none as valid, depending on how it is used).
> -Justin
> On Thursday 22 May 2003 12:54 pm, Chris Mullins wrote:
> > I implemented JEP 78 last night, and while doing so found an area that
> > concerns me.
> >
> > The sending of the User Name during the Auth "discovery" process, and
> > the resulting "User does not exist" error code, seems to invite a brute
> > force attack aimed at enumerating the users on the server.
> >
> > IP Based Karma can eliminate some of this (but a large scale distributed
> > attack would still work), but to have this JEP be secure then requires
> > that Karma be implemented on the server, which introduces yet another
> > dependence.
> >
> > Is this something worth fixing before anyone else implements the JEP?

More information about the Members mailing list