[standards-jig] S5B vulnerability
dizzyd at jabber.org
Mon Dec 8 15:31:47 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Dec 6, 2003, at 10:52 PM, Justin Karneges wrote:
> It seems that it is possible to hijack a connection rather easily with
> when there are two private networks involved.
So after some thought on this matter, I really don't see any
vulnerabilities here, beyond what one would normally find in any
networked system. This "vulnerability" is also present in HTTP --
consider if I send someone a URL with a private network address (i.e.
192.168.1.4) -- if their network has a computer with that address, they
will be directed to that system instead of mine.
With this in mind, I think that JEP-65 should clarify what happens when
a recipient indicates that they have connected to streamhost, but the
initiator discovers that the user is not, in fact, connected to the
same streamhost the initiator was expecting (i.e. this whole case that
Justin pointed out).
As with any other protocol, if you want to be certain of the party
you're talking to, you'll need to use some encryption system that can
provide authentication (e.g. certs w/ ssl). And as with any other
protocol, that would need to be a layer over the actual bytestream
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
-----END PGP SIGNATURE-----
More information about the Standards