[Security] rfc3920bis - "from" attribute in the stream header

Justin Karneges justin at affinix.com
Sat Feb 21 12:14:47 CST 2009


On Saturday 21 February 2009 10:02:36 Jiří Zárevúcký wrote:
> Hello. The draft states following:
>
> "For initial stream headers in client-to-server communication, if the
> client knows the XMPP identity of the principal controlling the client
> (typically an account name of the form <node at domain>), then it MUST
> include the 'from' attribute and MUST set its value to that identity."
>
> However, the first initial stream is unencrypted. This would send
> user's identity through an insecure connection. Perhaps it's not a big
> security issue (presuming user is not absolutely paranoid), but since
> there is no benefit of this at all, I think it isn't such a good idea
> to send the identity with the header.

Like other fields used before securing the connection, it is useful as a hint.  
However, no sensitive transactions should occur until the identity is proven.

The identity will be secured during TLS/SASL negotiation, and any other fields 
are repeated in a new <stream>, so there's no risk of trusting insecure data.

-Justin


More information about the Security mailing list