[Security] rfc3920bis - "from" attribute in the stream header

Jiří Zárevúcký zarevucky.jiri at gmail.com
Sat Feb 21 12:02:36 CST 2009


Hello. The draft states following:

"For initial stream headers in client-to-server communication, if the
client knows the XMPP identity of the principal controlling the client
(typically an account name of the form <node at domain>), then it MUST
include the 'from' attribute and MUST set its value to that identity."

However, the first initial stream is unencrypted. This would send
user's identity through an insecure connection. Perhaps it's not a big
security issue (presuming user is not absolutely paranoid), but since
there is no benefit of this at all, I think it isn't such a good idea
to send the identity with the header.


More information about the Security mailing list