[Members] In-Band Regiration with Jabber.org
Robert B Quattlebaum, Jr.
darco at deepdarc.com
Wed Oct 25 18:35:44 CDT 2006
I'm not sure if this is the best place to mention this, but I'm not
sure where else to bring this up so I'll mention it here.
I really think that jabber.org should not allow anonymous
jabber:iq:register for account creation. I think that it sets a bad
precedent, and is ripe for automation and other sorts of abuse. At
the very least, jabber.org should do some sort of email-address
verification, but currently it does nothing.
Ideally, there should be some way that when a client requests
jabber:iq:register anonymously that they are pointed to a
registration page on the jabber.org site. Such a page should have a
CAPTCHA and at least get an email address from them. Registering for
an account on a web-page is easy, and in some cases this would
actually allow people to register when they don't have a client which
Just because we don't have spim now doesn't mean it will never
happen. jabber:iq:register allows an automated process to easily
create many accounts very quickly without human intervention. These
accounts could be used to not only spam other users but to execute
types of denial of service attacks against users as well.
We need to take measures now to help prevent the public federated
jabber network from becoming a hostile environment. We should be
encouraging public servers to not allow plain-old vanilla
jabber:iq:register for creating accounts, and I think that jabber.org
should set an example in this case.
Jabber: darco at deepdarc.com
eMail: darco at deepdarc.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Members