[standards-jig] Security problems with JEP-115

Dave Smith dizzyd at jabber.org
Wed Sep 17 19:19:45 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jacek,

I don't quite follow why you think that 115 has anything to do with 
security?!

D.

On Wednesday, Sep 17, 2003, at 11:10 America/Denver, Jacek Konieczny 
wrote:

> Hello,
>
> I have just accidentally looked into JEP-115 (I was going to read it in
> some near future anyway) and found things I don't like.
>
> 1. For this protocol to work all clients must not lie about its
> versions. This is no good - some people don't like to tell what 
> software
> they used. jabber:iq:version could always be turned off or faked 
> without
> making any problems.
>
> 2. When one client lies about version or supported extension this may
> influence other users' sessions. This is A VERY BAD THING. What kind of
> security is it if I can turn some functionality off in others 
> clients???
>
> I think the idea of JEP-115 is totally wrong, but I know the intentions
> were good.
>
> Greets,
>         Jacek
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/aLPRYNE3chVHHsMRAmSiAKCYie1lWGY2mI2lXO9QaTndwRhcUQCgw6wS
mUFU/Ztg7Z4NDGv/TIIltTs=
=xxZ8
-----END PGP SIGNATURE-----




More information about the Standards mailing list