[Security] [jdev] Spoofing of iq ids and misbehaving servers

Edwin Mons jsf at edwinm.ik.nu
Mon Feb 3 09:38:13 UTC 2014

On 03/02/14 10:13, Philipp Hancke wrote:
>> It wasn't a complain, I've just explained why servers do behave
>> different than the current RFC says. I had the impression several
>> people seem to not know that there was a quiet different RFC before
>> 6120 and most servers were created long time ago.
> Sure. But RFC 3920 has been obsoleted by RFC 6120, so if you still
> want to call yourself an XMPP server you'd better implement 6120.
> But yeah, that's one of the reasons we should update the compliance
> suites. We actually have XEP-0302 doing that, but it never moved to
> draft for some reason.

Except that 6121 tells you in case of the session IQ to send it to be
compatible with servers expecting 3921, and only points to the old
spec.  The old spec tells you to send the IQ to the server instead of to
the bare or full jid of the user, so you might not want to rely on the
behaviour of the unspecified to attribute, and set the to explicitly. 
It's unclear what semantics need to be followed for a mechanism that's
clearly only there to allow interoperability with older clients and servers.


More information about the Security mailing list