[standards-jig] Security problems with JEP-115
Peter G. Millard
me at pgmillard.com
Sun Sep 21 21:22:04 UTC 2003
Justin Karneges wrote:
> Perhaps version strings should be consistent only on a
> per-installation basis, not per-client. And the string should be
> associated with the JID that sent it, so that one JID cannot speak
> for another.
> This would mean that we'd lose out on the optimization of minimizing
> requests to the same client software, but I don't think this a huge
> loss, as it is probably less than 1% of the bandwidth saved out of
> the total that JEP-115 provides.
Um, this is kind of the whole point to JEP-115. To eliminate the
mass-duplication when I have 20 Psi users on my roster and I have disco all
of them. If we eliminate the optimizations, then we're basically back to
sending everyone in my roster a disco request, which is precisely what we're
trying to eliminate.
More information about the Standards