[standards-jig] Security problems with JEP-115
justin-jdev at affinix.com
Sun Sep 21 22:44:37 UTC 2003
On Sunday 21 September 2003 02:22 pm, Peter G. Millard wrote:
> Justin Karneges wrote:
> > Perhaps version strings should be consistent only on a
> > per-installation basis, not per-client. And the string should be
> > associated with the JID that sent it, so that one JID cannot speak
> > for another.
> > This would mean that we'd lose out on the optimization of minimizing
> > requests to the same client software, but I don't think this a huge
> > loss, as it is probably less than 1% of the bandwidth saved out of
> > the total that JEP-115 provides.
> Um, this is kind of the whole point to JEP-115. To eliminate the
> mass-duplication when I have 20 Psi users on my roster and I have disco all
> of them. If we eliminate the optimizations, then we're basically back to
> sending everyone in my roster a disco request, which is precisely what
> we're trying to eliminate.
Well, the original point was to not flood the network during logins or when
new contacts become available. Sure, if we eliminate the client-version
optimization, you would end up having to query all 20 of those Psi users, but
this would only be a one-time deal. The 'bulk' of the bandwidth savings
would remain, which is that you wouldn't query any of these users again until
they upgrade and/or change clients. Those 19 extra requests that you did on
day 1 are of little concern, IMO.
More information about the Standards