[Security] [jdev] Spoofing of iq ids and misbehaving servers

Alexander Holler holler at ahsoftware.de
Mon Feb 3 09:44:15 UTC 2014

Am 03.02.2014 10:13, schrieb Philipp Hancke:
>> It wasn't a complain, I've just explained why servers do behave
>> different than the current RFC says. I had the impression several
>> people seem to not know that there was a quiet different RFC before
>> 6120 and most servers were created long time ago.
> Sure. But RFC 3920 has been obsoleted by RFC 6120, so if you still want
> to call yourself an XMPP server you'd better implement 6120.

The server I've written isn't of interest (here) and never was my topic.

> But yeah, that's one of the reasons we should update the compliance
> suites. We actually have XEP-0302 doing that, but it never moved to
> draft for some reason.

Sounds like a good idea. According to the list of misbehaving servers 
from Thijs Alkemade there currently aren't that much servers around 
which are able to call themself XMPP-servers, and I suggest to make them 
aware of that.

I've just explained a reason for the current state (because no one else 
did) and it only earned me flames.


Alexander Holler

More information about the Security mailing list