[standards-jig] Security problems with JEP-115

Jacek Konieczny jajcus at bnet.pl
Wed Sep 17 17:10:22 UTC 2003


Hello,

I have just accidentally looked into JEP-115 (I was going to read it in
some near future anyway) and found things I don't like.

1. For this protocol to work all clients must not lie about its
versions. This is no good - some people don't like to tell what software
they used. jabber:iq:version could always be turned off or faked without
making any problems. 

2. When one client lies about version or supported extension this may
influence other users' sessions. This is A VERY BAD THING. What kind of
security is it if I can turn some functionality off in others clients??? 

I think the idea of JEP-115 is totally wrong, but I know the intentions
were good.

Greets,
        Jacek



More information about the Standards mailing list