[Foundation] Last Minute JEP 78 Concerns

Shawn Wilton shawn at black9.net
Fri May 23 10:26:59 CDT 2003


I would just treat it as valid.  Easiest thing to implement and it's 
more secure than allowing an attacker to enumerate usernames on the server.

Peter Saint-Andre wrote:
> On Thu, May 22, 2003 at 02:25:58PM -0700, Evan Prodromou wrote:
> 
>>>>>>>"CM" == Chris Mullins <cmullins at winfessor.com> writes:
>>
>>    CM> Is this something worth fixing before anyone else implements
>>    CM> the JEP?
>>
>>"before anyone else implements the JEP"? Doesn't everyone _already_
>>implement this JEP? B-)
>>
>>Since JEP-0078 documents the existing jabber:iq:auth namespace, it
>>doesn't seem to make much sense to enhance it to be more secure. I'd
>>prefer to see this kind of thing addressed in the XMPP SASL
>>authentication instead.
> 
> 
> If you look at how jabber:iq:auth is implemented today (e.g., by the
> jabberd server), you will note that the response to an IQ get with an
> invalid username is indeed a 401 error. I agree that this provides a
> malicious user or script with the ability to discover which usernames
> are in use. I'm not as sure about the right way to fix this, but I think
> the JEP should say that a server implementation may return an error (as
> implementations do now) or an IQ result with the fields to fill out
> (i.e., treating the username as valid), but must return one or the
> other.
> 
> Thoughts?
> 
> Peter
> 
> P.S. Moving this thread to Standards-JIG, please reply there.
> _______________________________________________
> Members mailing list
> Members at jabber.org
> http://mailman.jabber.org/listinfo/members

-- 

-Shawn Wilton
-Black9 Systems and Networks
-Phone:  503 881 2707
-Email/JID:  shawn at black9.net/shawn at chote.net




More information about the Members mailing list