[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
JHildebrand at jabber.com
Fri May 23 16:28:56 UTC 2003
One of the problems with doing the "right thing" security-wise here
(returning the same error for invalid password and invalid user) is that
many clients today will offer a registration form if the username is
invalid. I'm ok with breaking that, I suppose, but we need to make sure we
are all making a conscious decision to do so.
> -----Original Message-----
> From: Peter Saint-Andre [mailto:stpeter at jabber.org]
> Sent: Friday, May 23, 2003 9:21 AM
> To: standards-jig at jabber.org
> Cc: members at jabber.org
> On Thu, May 22, 2003 at 02:25:58PM -0700, Evan Prodromou wrote:
> > >>>>> "CM" == Chris Mullins <cmullins at winfessor.com> writes:
> > CM> Is this something worth fixing before anyone else implements
> > CM> the JEP?
> > "before anyone else implements the JEP"? Doesn't everyone _already_
> > implement this JEP? B-)
> > Since JEP-0078 documents the existing jabber:iq:auth namespace, it
> > doesn't seem to make much sense to enhance it to be more
> secure. I'd
> > prefer to see this kind of thing addressed in the XMPP SASL
> > authentication instead.
> If you look at how jabber:iq:auth is implemented today (e.g.,
> by the jabberd server), you will note that the response to an
> IQ get with an invalid username is indeed a 401 error. I
> agree that this provides a malicious user or script with the
> ability to discover which usernames are in use. I'm not as
> sure about the right way to fix this, but I think the JEP
> should say that a server implementation may return an error
> (as implementations do now) or an IQ result with the fields
> to fill out (i.e., treating the username as valid), but must
> return one or the other.
> P.S. Moving this thread to Standards-JIG, please reply there.
> Standards-JIG mailing list
> Standards-JIG at jabber.org
More information about the Standards