[standards-jig] Security problems with JEP-115

Peter Millard me at pgmillard.com
Wed Sep 17 19:41:22 UTC 2003


Jacek Konieczny wrote:
> I think the idea of JEP-115 is totally wrong, but I know the intentions
> were good.

When you shoot something down.. it's most constructive to offer some kind of
alternative. What do you propose to do? Continue the proliferation of
jabber:iq:version requests? I agree that a client MAY lie about what client it
really is, and this could do bad things to caching, etc... I'm not at all sure:

1) How this can be fixed using any protocol without some kind of "verifying"
entity (ala a CA).
2) If it should be fixed.

Some clients are going to lie, and maybe even allow users to pick what their
client advertises itself as (like Konquerer and other web browsers do); however,
do we really care about this slim minority. At the minimum a mention of this
should be included in the security section.

FWIW, if a user doesn't want to advertise what client they are using, they
should be able to turn OFF this broadcast, not just spoof it.

pgm.




More information about the Standards mailing list