[standards-jig] defeating invisibility

Peter Saint-Andre stpeter at jabber.org
Tue Jan 20 17:33:36 UTC 2004

I chatted with someone last week who brought up a good point about
invisibility (whether JEP-0126 or JEP-0018): there are straightforward
ways to defeat it. Let's say I've gone invisibile. You can send me an 
iq:last (JEP-0012) request. If I don't change my resource often (e.g., 
during the work day, my full JID is usually stpeter at jabber.org/work), 
then you could send a time or version request to that usual full JID.
Do servers and clients need to block such requests if the user is trying
to be invisible? Should the client add IQ blocking to its privacy list
for invisibility? Should the user be forewarned that invisibility is not
invisible as it might seem? AT th eleast it seems we need to improve the
security considerations section of JEP-0126. But at least JEP-0126 gives
us a way to make invisibility more invisible than JEP-0018 did.



Peter Saint-Andre
Jabber Software Foundation

More information about the Standards mailing list