[standards-jig] Security problems with JEP-115

Jacek Konieczny jajcus at bnet.pl
Sat Sep 20 08:37:23 UTC 2003


On Fri, Sep 19, 2003 at 05:08:23PM -0600, Matthew A. Miller wrote:
> >Such "masking" is bad enough. Imagine that the client B is configured to
> >use encryption with any other client that supports it. When this
> >capability is masked client-B would send unencrypted messages.
> > 
> >
> If Client-A says it does not support encryption (and doesn't), Client-B 
> could never speak encryptedly *to it* anyway.  I still don't see the 
> problem here.

1. Client-A supports encryption and announces this via "pgp" bundle name
2. Client-B is configured to use encryption with any other client that supports it
3. Client-B asks random client with the same version tag as Client-A
what "pgp" is.
4. The random client is Client-C
5. Client-C replies Client-B, that "pgp" is anything but encryption
6. Client-B trusts Client-C and assumes that "pgp" doesn't contain
encryption namespace, so both Client-A and Client-C don't support
encryption
7. Client-B sends not encrypted messages to Client-A


JEP-115 will work only if you trust any jabber entity you receive
presence from. If additional test would be added this could be changed
to trusting anyone in your roster - but it is still to much trust
required.

Greets,
        Jacek



More information about the Standards mailing list