[Members] In-Band Regiration with Jabber.org

Robert B Quattlebaum, Jr. darco at deepdarc.com
Wed Oct 25 18:35:44 CDT 2006

I'm not sure if this is the best place to mention this, but I'm not  
sure where else to bring this up so I'll mention it here.

I really think that jabber.org should not allow anonymous  
jabber:iq:register for account creation. I think that it sets a bad  
precedent, and is ripe for automation and other sorts of abuse. At  
the very least, jabber.org should do some sort of email-address  
verification, but currently it does nothing.

Ideally, there should be some way that when a client requests  
jabber:iq:register anonymously that they are pointed to a  
registration page on the jabber.org site. Such a page should have a  
CAPTCHA and at least get an email address from them. Registering for  
an account on a web-page is easy, and in some cases this would  
actually allow people to register when they don't have a client which  
supports jabber:iq:register.

Just because we don't have spim now doesn't mean it will never  
happen. jabber:iq:register allows an automated process to easily  
create many accounts very quickly without human intervention. These  
accounts could be used to not only spam other users but to execute  
types of denial of service attacks against users as well.

We need to take measures now to help prevent the public federated  
jabber network from becoming a hostile environment. We should be  
encouraging public servers to not allow plain-old vanilla  
jabber:iq:register for creating accounts, and I think that jabber.org  
should set an example in this case.

Robert Quattlebaum
Jabber: darco at deepdarc.com
eMail:  darco at deepdarc.com
www:    http://www.deepdarc.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.jabber.org/pipermail/members/attachments/20061025/9ab5d6e3/attachment.htm

More information about the Members mailing list