[Operators] in-band registration [forever]

Peter Saint-Andre stpeter at stpeter.im
Wed Apr 11 00:25:30 UTC 2012

Hash: SHA1

On 4/10/12 5:28 PM, Peter Viskup wrote:
> Hi all, [un]fortunately our server is supporting 'unprotected' IBR
> and we are not going to disable/'protect' it during next few
> months/years. For sure there are also accounts used during attacks
> registered on our server, but I think this is the same on all XMPP
> servers with any open registration and administrators have to just
> take care of them (somehow).
> @Peter - I find it very useful and simple way to register and do
> not want to complicate lives of our potential users.

My life is made more complicated by the fact that I need to use keys
to get into my house, too. ;-)

> Therefore we are not running captcha (as 'security' module) for IBR
> - from my (and our server's) present point of view it's meaningless
> and today's attackers can breach it easy.

Breaching CAPTCHAs is not quite as easy as writing a script to perform
thousands of IBR registrations per minute.

You don't need to be the fastest antelope, you just need to make sure
you're not the slowest.

> @Kevin - that your comparison is not completely right. I do not
> think that we need to move away from IBR. I like that approach for 
> registration and it make sense to install XMPP client and register
> on any XMPP server trough using just that one application.
> The only we need is to find the way how to protect our servers from
> the attacks in the efficient and effective way. (there is nothing
> efficient and effective known at this time) The response to this
> could be "xep-0268" - already proposed by Peter Saint-Andre on
> February this year - and I hope that all of us will push on
> developers of our XMPP servers to implement it once it will be
> available.

I'm in the process of updating XEP-0268 to use the IODEF format
defined in RFC 5070 because there are already code libraries for that
format, so don't push too hard on those server developers yet. I'll
bump this work up the stack. :-)

> This is a question of making XMPP mature and I do not think there
> is need to 'move away from IBR' or 'block all XMPP servers with
> unprotected IBR from federation'. IBR is a (nicest?) feature of
> XMPP and cannot be punished for 'not-the-best' security
> implementation of XMPP. :-)

As with everything, it's a question of costs and benefits. Right now
the costs seem quite high, but perhaps wider implementation of
CAPTCHAs and rate limits and such would help.


- -- 
Peter Saint-Andre

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Operators mailing list