[standards-jig] Security problems with JEP-115

Justin Karneges justin-jdev at affinix.com
Sat Sep 20 19:29:07 UTC 2003


Perhaps version strings should be consistent only on a per-installation basis, 
not per-client.  And the string should be associated with the JID that sent 
it, so that one JID cannot speak for another.

This would mean that we'd lose out on the optimization of minimizing requests 
to the same client software, but I don't think this a huge loss, as it is 
probably less than 1% of the bandwidth saved out of the total that JEP-115 
provides.

-Justin

On Saturday 20 September 2003 01:37 am, Jacek Konieczny wrote:
> On Fri, Sep 19, 2003 at 05:08:23PM -0600, Matthew A. Miller wrote:
> > >Such "masking" is bad enough. Imagine that the client B is configured to
> > >use encryption with any other client that supports it. When this
> > >capability is masked client-B would send unencrypted messages.
> >
> > If Client-A says it does not support encryption (and doesn't), Client-B
> > could never speak encryptedly *to it* anyway.  I still don't see the
> > problem here.
>
> 1. Client-A supports encryption and announces this via "pgp" bundle name
> 2. Client-B is configured to use encryption with any other client that
> supports it 3. Client-B asks random client with the same version tag as
> Client-A what "pgp" is.
> 4. The random client is Client-C
> 5. Client-C replies Client-B, that "pgp" is anything but encryption
> 6. Client-B trusts Client-C and assumes that "pgp" doesn't contain
> encryption namespace, so both Client-A and Client-C don't support
> encryption
> 7. Client-B sends not encrypted messages to Client-A
>
>
> JEP-115 will work only if you trust any jabber entity you receive
> presence from. If additional test would be added this could be changed
> to trusting anyone in your roster - but it is still to much trust
> required.
>
> Greets,
>         Jacek
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig



More information about the Standards mailing list