[standards-jig] defeating invisibility

Matthew A. Miller linuxwolf at outer-planes.net
Tue Jan 20 18:19:11 UTC 2004


Looking at privacy, it would be possible for a client to specify 
IQ-blocking at the same time they specify invisibility, using the same 
conditions for both.  Otherwise, this to me seems to be an 
implementation issue, with all the protocol abilities already present.  
I think we need not provide any more than a more robust "Security 
Considerations" and/or "Implementation Notes".


-  LW

Peter Saint-Andre wrote:

>I chatted with someone last week who brought up a good point about
>invisibility (whether JEP-0126 or JEP-0018): there are straightforward
>ways to defeat it. Let's say I've gone invisibile. You can send me an 
>iq:last (JEP-0012) request. If I don't change my resource often (e.g., 
>during the work day, my full JID is usually stpeter at jabber.org/work), 
>then you could send a time or version request to that usual full JID.
>Do servers and clients need to block such requests if the user is trying
>to be invisible? Should the client add IQ blocking to its privacy list
>for invisibility? Should the user be forewarned that invisibility is not
>invisible as it might seem? AT th eleast it seems we need to improve the
>security considerations section of JEP-0126. But at least JEP-0126 gives
>us a way to make invisibility more invisible than JEP-0018 did.
>
>Thoughts?
>
>Peter
>
>  
>




More information about the Standards mailing list