[standards-jig] Security problems with JEP-115
jajcus at bnet.pl
Sat Sep 20 08:37:23 UTC 2003
On Fri, Sep 19, 2003 at 05:08:23PM -0600, Matthew A. Miller wrote:
> >Such "masking" is bad enough. Imagine that the client B is configured to
> >use encryption with any other client that supports it. When this
> >capability is masked client-B would send unencrypted messages.
> If Client-A says it does not support encryption (and doesn't), Client-B
> could never speak encryptedly *to it* anyway. I still don't see the
> problem here.
1. Client-A supports encryption and announces this via "pgp" bundle name
2. Client-B is configured to use encryption with any other client that supports it
3. Client-B asks random client with the same version tag as Client-A
what "pgp" is.
4. The random client is Client-C
5. Client-C replies Client-B, that "pgp" is anything but encryption
6. Client-B trusts Client-C and assumes that "pgp" doesn't contain
encryption namespace, so both Client-A and Client-C don't support
7. Client-B sends not encrypted messages to Client-A
JEP-115 will work only if you trust any jabber entity you receive
presence from. If additional test would be added this could be changed
to trusting anyone in your roster - but it is still to much trust
More information about the Standards