[standards-jig] Security problems with JEP-115
jajcus at bnet.pl
Wed Sep 17 17:10:22 UTC 2003
I have just accidentally looked into JEP-115 (I was going to read it in
some near future anyway) and found things I don't like.
1. For this protocol to work all clients must not lie about its
versions. This is no good - some people don't like to tell what software
they used. jabber:iq:version could always be turned off or faked without
making any problems.
2. When one client lies about version or supported extension this may
influence other users' sessions. This is A VERY BAD THING. What kind of
security is it if I can turn some functionality off in others clients???
I think the idea of JEP-115 is totally wrong, but I know the intentions
More information about the Standards