[Security] rfc3920bis - "from" attribute in the stream header

Jiří Zárevúcký zarevucky.jiri at gmail.com
Sat Feb 21 12:25:43 CST 2009


That's all very nice, but you misunderstood me. :)
I'm talking about the possibility of neighbor sniffing your JabberID.
Imagine you have for example a private account you don't want anyone
of your friend to know about. OR that you have forbidden use of IMs in
work and the IT staff easily sees who you are.

2009/2/21 Justin Karneges <justin at affinix.com>:
> On Saturday 21 February 2009 10:02:36 Jiří Zárevúcký wrote:
>> Hello. The draft states following:
>>
>> "For initial stream headers in client-to-server communication, if the
>> client knows the XMPP identity of the principal controlling the client
>> (typically an account name of the form <node at domain>), then it MUST
>> include the 'from' attribute and MUST set its value to that identity."
>>
>> However, the first initial stream is unencrypted. This would send
>> user's identity through an insecure connection. Perhaps it's not a big
>> security issue (presuming user is not absolutely paranoid), but since
>> there is no benefit of this at all, I think it isn't such a good idea
>> to send the identity with the header.
>
> Like other fields used before securing the connection, it is useful as a hint.
> However, no sensitive transactions should occur until the identity is proven.
>
> The identity will be secured during TLS/SASL negotiation, and any other fields
> are repeated in a new <stream>, so there's no risk of trusting insecure data.
>
> -Justin
>


More information about the Security mailing list