[standards-jig] JEP-0078 iq:auth change suggestion

Iain Shigeoka iain at jivesoftware.com
Fri Jun 27 04:29:59 UTC 2003


On Thursday, Jun 26, 2003, at 15:28 US/Pacific, Sebastiaan Deckers 
wrote:

> Hello,
>
> Are you suggesting to break compatibility with just about every 
> existing implementation for the sake of security-through-obscurity?

I'm not suggesting it. :) I'm warning that JEP-0078 suggests it and we 
might want to either change it to not suggest it, or at least note that 
it will break compatibility and is 'new behavior' in that it doesn't 
work like jabberd1.x.

> There are many ways to find out if an account is registered on a 
> server which allows S2S or unrestricted C2S traffic.
> Eg. Basic IQ routing with any namespace.  Most servers return a 404 
> error when the account does not exist, and a 403 when it does exist 
> but it is not subscribed.
> Eg. Requesting presence subscription.  The server returns <status>Not 
> Found</status> in the type="unsubscribed" packet.
> Etc.
>
> I tested this using TIMP 1.2 and YMMV.
>
> This all leads to the same information for an intruder.
> However the error codes also give legitimate users better information 
> about why they can not register an account or why they can not 
> subscibe to someone's presence.
>
> In practice, hiding existing accounts does not make the server more 
> secure, does it?
> A cap on the number of logins per minute per IP address is much more 
> effective against this sort of attack.

I wholeheartedly agree. Obscuring user accounts simply reduces the 
search space for account hacking and there are probably better ways of 
reducing the threat given the benefits of error reporting (e.g. 
requiring longer/better passwords, limiting password attempts, etc). 
All systems with auto-registration will probably want to send errors on 
accounts not found.

Anyhow, assuming I have at least one supporter, Peter, oh jep author, 
what say you to a change on the JEP?

-iain

> Iain Shigeoka wrote:
>
>> Hi,
>>
>> In section 3.1 the original iq-get in iq:auth recommends "If there is 
>> no such username, the server SHOULD NOT return an error, but instead 
>> SHOULD return the normal authentication fields". This is good advice 
>> to avoid hackers learning user accounts on the system.
>>
>> However, some/most clients (Exodus for sure) relies on receiving a 
>> 401 error at the iq-get stage of iq:auth in order to automatically 
>> try to register an account. Thus servers that follow this guidance 
>> will become incompatible with the auto-registration features of 
>> clients. Since jabberd1.4 implements it with a 401 on unknown 
>> accounts, I think we should either add a note indicating this fact 
>> and the tradeoffs of security versus compatibility in following this 
>> advice.
>>
>> Thoughts?
>>
>> -iain
>>
>> _______________________________________________
>> Standards-JIG mailing list
>> Standards-JIG at jabber.org
>> http://mailman.jabber.org/listinfo/standards-jig
>>
>>
>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
>




More information about the Standards mailing list