[standards-jig] S5B vulnerability

Dave Smith dizzyd at jabber.org
Mon Dec 8 15:31:47 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Dec 6, 2003, at 10:52 PM, Justin Karneges wrote:

> It seems that it is possible to hijack a connection rather easily with 
> S5B
> when there are two private networks involved.
...

So after some thought on this matter, I really don't see any 
vulnerabilities here, beyond what one would normally find in any 
networked system. This "vulnerability" is also present in HTTP -- 
consider if I send someone a URL with a private network address (i.e. 
192.168.1.4) -- if their network has a computer with that address, they 
will be directed to that system instead of mine.

With this in mind, I think that JEP-65 should clarify what happens when 
a recipient indicates that they have connected to streamhost, but the 
initiator discovers that the user is not, in fact, connected to the 
same streamhost the initiator was expecting (i.e. this whole case that 
Justin pointed out).

As with any other protocol, if you want to be certain of the party 
you're talking to, you'll need to use some encryption system that can 
provide authentication (e.g. certs w/ ssl). And as with any other 
protocol, that would need to be a layer over the actual bytestream 
connection.

D.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/1JljYNE3chVHHsMRAmsgAJ4otNVydYhxzDO8nQC7YCwTP1+GAQCfbb+1
nOLhNodwA/vTCzo/KHmy3zs=
=/ANP
-----END PGP SIGNATURE-----




More information about the Standards mailing list