[standards-jig] JEP-0078 iq:auth change suggestion
cbas at screaming3d.com
Thu Jun 26 22:28:25 UTC 2003
Are you suggesting to break compatibility with just about every existing
implementation for the sake of security-through-obscurity?
There are many ways to find out if an account is registered on a server
which allows S2S or unrestricted C2S traffic.
Eg. Basic IQ routing with any namespace. Most servers return a 404
error when the account does not exist, and a 403 when it does exist but
it is not subscribed.
Eg. Requesting presence subscription. The server returns <status>Not
Found</status> in the type="unsubscribed" packet.
I tested this using TIMP 1.2 and YMMV.
This all leads to the same information for an intruder.
However the error codes also give legitimate users better information
about why they can not register an account or why they can not subscibe
to someone's presence.
In practice, hiding existing accounts does not make the server more
secure, does it?
A cap on the number of logins per minute per IP address is much more
effective against this sort of attack.
Iain Shigeoka wrote:
> In section 3.1 the original iq-get in iq:auth recommends "If there is
> no such username, the server SHOULD NOT return an error, but instead
> SHOULD return the normal authentication fields". This is good advice
> to avoid hackers learning user accounts on the system.
> However, some/most clients (Exodus for sure) relies on receiving a 401
> error at the iq-get stage of iq:auth in order to automatically try to
> register an account. Thus servers that follow this guidance will
> become incompatible with the auto-registration features of clients.
> Since jabberd1.4 implements it with a 401 on unknown accounts, I think
> we should either add a note indicating this fact and the tradeoffs of
> security versus compatibility in following this advice.
> Standards-JIG mailing list
> Standards-JIG at jabber.org
More information about the Standards