[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
stpeter at jabber.org
Thu May 22 20:12:11 UTC 2003
I believe that we receive the same error whether or not the user exists,
but I see your point about receiving error in response to the IQ-get,
and I agree we need to fix that.
On Thu, May 22, 2003 at 12:54:25PM -0700, Chris Mullins wrote:
> I implemented JEP 78 last night, and while doing so found an area that
> concerns me.
> The sending of the User Name during the Auth "discovery" process, and
> the resulting "User does not exist" error code, seems to invite a brute
> force attack aimed at enumerating the users on the server.
> IP Based Karma can eliminate some of this (but a large scale distributed
> attack would still work), but to have this JEP be secure then requires
> that Karma be implemented on the server, which introduces yet another
> Is this something worth fixing before anyone else implements the JEP?
> Chris Mullins
> Members mailing list
> Members at jabber.org
More information about the Standards