[standards-jig] Security problems with JEP-115

Peter Millard me at pgmillard.com
Thu Sep 18 14:52:30 UTC 2003

Jacek Konieczny wrote:
> I think it would be better if client whould announce real feature list
> in their presence (although I don't like announcing anything that is not
> presence/availability in <presence/> stanza) than some hint which can be
> used to use information from other client. Asking some client for
> features of another client is not good. Of course regular disco reply is
> much to large for announcing in <presence/>, but if it would be reduced
> to some kind of bitmask (values whould have to be registered in JR) then
> the <presence/> packet whould not be much bigger than those proposed by
> JEP-115.

This generates more bandwidth than the current draft, and doesn't solve the
security issues that were brought up. The requirements in the JEP state:

    *Clients in disconnected networks MUST be able to participate.
    *Since presence can be rebroadcasted to many users, it is imperative that
the byte size of the proposed extension be minimized.

Sending ALL of your features violates the second requirement. Sending your
"features" instead of a client identifier don't solve the spoofing issue. The
other thing I just wanted to point out is that the "spoofing" problem exists in
almost all client->client protocols we have today:
    - browse, disco, time, version, etc.

> Other solution would be not to ask random client, but some entity
> pointent by the <presence/> packet. This could be some jabber entity
> or eg. HTTP URL.

Using this approach violates the first requirement shown above. This feature
MUST be able to work on a "disconnected network" (no route to the internet). So
a URL or a service on jabber.org would not be able to respond.

I'm also wondering what some of the other client authors think about this
protocol. Would they implement it? Do they think the security issues out-weigh
the gains? I'm specifically thinking about the clients which currently send
jabber:iq:version requests to LOTS of people (either when I login, or join a
room, etc..).


More information about the Standards mailing list