[Security] [jdev] Spoofing of iq ids and misbehaving servers

Alexander Holler holler at ahsoftware.de
Mon Feb 3 08:33:44 UTC 2014


Am 02.02.2014 21:53, schrieb Florian Zeitz:
> On 02.02.2014 11:39, Alexander Holler wrote:
>> Am 02.02.2014 09:23, schrieb Waqas Hussain:
>>
>>>
>>> Using the server's hostname in this case is still a bug though.
>>> RFC3920 was vague, but RFC6120 is quite clear on this. Even before
>>> 6120's publication this was the consensus (which led to 6120
>>> clarifying it).
>>>
>>> In a c2s connection, the default address of the 'c' side is the
>>> connection's full JID, while of the 's' side is the user's bare JID.
>>
>> No. for me, and as it looks, some other server authors, the obvious
>> content of a missing 'to' is the direct communcation partner to which
>> the stanza is send to.
>>
>> If you have a c2s connection and the client sends a stanza without 'to'
>> (client -> server), it is for sure not obvious that the client itself is
>> the what the missing 'to' should be.
>>
>> And if you change the RFC, you can't blame servers as the changed RFC
>> made them non-compliant.
>>
> Okay, I don't blame you. Now go *update* your server to the current
> version of the RFC, which has been out for quite some time.
> Your complaints about this clarification in the RFC is really more than
> just a bit late.

It wasn't a complain, I've just explained why servers do behave 
different than the current RFC says. I had the impression several people 
seem to not know that there was a quiet different RFC before 6120 and 
most servers were created long time ago.

Anyway, I think it's better I don't say anything more. (And to make you 
happy: I don't intend to change my server).

Alexander Holler


More information about the Security mailing list