[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Joe Hildebrand JHildebrand at jabber.com
Fri May 23 16:28:56 UTC 2003


One of the problems with doing the "right thing" security-wise here
(returning the same error for invalid password and invalid user) is that
many clients today will offer a registration form if the username is
invalid.  I'm ok with breaking that, I suppose, but we need to make sure we
are all making a conscious decision to do so.

-- 
Joe Hildebrand


> -----Original Message-----
> From: Peter Saint-Andre [mailto:stpeter at jabber.org] 
> Sent: Friday, May 23, 2003 9:21 AM
> To: standards-jig at jabber.org
> Cc: members at jabber.org
> 
> On Thu, May 22, 2003 at 02:25:58PM -0700, Evan Prodromou wrote:
> > >>>>> "CM" == Chris Mullins <cmullins at winfessor.com> writes:
> > 
> >     CM> Is this something worth fixing before anyone else implements
> >     CM> the JEP?
> > 
> > "before anyone else implements the JEP"? Doesn't everyone _already_ 
> > implement this JEP? B-)
> > 
> > Since JEP-0078 documents the existing jabber:iq:auth namespace, it 
> > doesn't seem to make much sense to enhance it to be more 
> secure. I'd 
> > prefer to see this kind of thing addressed in the XMPP SASL 
> > authentication instead.
> 
> If you look at how jabber:iq:auth is implemented today (e.g., 
> by the jabberd server), you will note that the response to an 
> IQ get with an invalid username is indeed a 401 error. I 
> agree that this provides a malicious user or script with the 
> ability to discover which usernames are in use. I'm not as 
> sure about the right way to fix this, but I think the JEP 
> should say that a server implementation may return an error 
> (as implementations do now) or an IQ result with the fields 
> to fill out (i.e., treating the username as valid), but must 
> return one or the other.
> 
> Thoughts?
> 
> Peter
> 
> P.S. Moving this thread to Standards-JIG, please reply there.
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
> 



More information about the Standards mailing list