[standards-jig] Security problems with JEP-115
me at pgmillard.com
Wed Sep 17 19:41:22 UTC 2003
Jacek Konieczny wrote:
> I think the idea of JEP-115 is totally wrong, but I know the intentions
> were good.
When you shoot something down.. it's most constructive to offer some kind of
alternative. What do you propose to do? Continue the proliferation of
jabber:iq:version requests? I agree that a client MAY lie about what client it
really is, and this could do bad things to caching, etc... I'm not at all sure:
1) How this can be fixed using any protocol without some kind of "verifying"
entity (ala a CA).
2) If it should be fixed.
Some clients are going to lie, and maybe even allow users to pick what their
client advertises itself as (like Konquerer and other web browsers do); however,
do we really care about this slim minority. At the minimum a mention of this
should be included in the security section.
FWIW, if a user doesn't want to advertise what client they are using, they
should be able to turn OFF this broadcast, not just spoof it.
More information about the Standards