[standards-jig] Security problems with JEP-115

Jacek Konieczny jajcus at bnet.pl
Tue Sep 23 08:52:09 UTC 2003


On Mon, Sep 22, 2003 at 02:02:19PM -0600, Joe Hildebrand wrote:
> Why couldn't I just send a MD-5 that matches the bad info that I was about
> to give out?

You will just lie about your capabilities then. There is nothing wrong
with it. Any other client won't use the same MD5 sum, so the bad
information wont influence them.

> How is that any different than what we have now? 

Much different - when two clients return the same MD5 sum than
you may be sure they will return the same set of features or the
validation will fail. You can safely ask one client for the feature list
and if the response is valid (matches MD5 sum) you can assume the same
list is true for any other client which assumes the same MD5.

This will not be true only if some client has broken implementation of
this protocol, but it would not influence properly coded clients.

Greets,
	Jacek



More information about the Standards mailing list