[standards-jig] JEP-0078 iq:auth change suggestion

Sebastiaan Deckers cbas at screaming3d.com
Thu Jun 26 22:28:25 UTC 2003


Hello,

Are you suggesting to break compatibility with just about every existing 
implementation for the sake of security-through-obscurity?
There are many ways to find out if an account is registered on a server 
which allows S2S or unrestricted C2S traffic.
Eg. Basic IQ routing with any namespace.  Most servers return a 404 
error when the account does not exist, and a 403 when it does exist but 
it is not subscribed.
Eg. Requesting presence subscription.  The server returns <status>Not 
Found</status> in the type="unsubscribed" packet.
Etc.

I tested this using TIMP 1.2 and YMMV.

This all leads to the same information for an intruder.
However the error codes also give legitimate users better information 
about why they can not register an account or why they can not subscibe 
to someone's presence.

In practice, hiding existing accounts does not make the server more 
secure, does it?
A cap on the number of logins per minute per IP address is much more 
effective against this sort of attack.

Regards,
Sebastiaan


Iain Shigeoka wrote:

> Hi,
>
> In section 3.1 the original iq-get in iq:auth recommends "If there is 
> no such username, the server SHOULD NOT return an error, but instead 
> SHOULD return the normal authentication fields". This is good advice 
> to avoid hackers learning user accounts on the system.
>
> However, some/most clients (Exodus for sure) relies on receiving a 401 
> error at the iq-get stage of iq:auth in order to automatically try to 
> register an account. Thus servers that follow this guidance will 
> become incompatible with the auto-registration features of clients. 
> Since jabberd1.4 implements it with a 401 on unknown accounts, I think 
> we should either add a note indicating this fact and the tradeoffs of 
> security versus compatibility in following this advice.
>
> Thoughts?
>
> -iain
>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
>
>




More information about the Standards mailing list