[standards-jig] JEP 12 (IQ:Last) Security Concerns

Chris Mullins cmullins at winfessor.com
Wed Jan 21 06:16:32 UTC 2004


As it's Jepped, IQ:Last presents some very large security concerns. 


Any user can query a server and discover quite a bit of data about
another user. This is makes this less than an ideal solution. 

If we applied the XMPP rules for Presence Probes to IQ:Last, I believe
the overall solution would be much better. The two items are very
similar, and can largely be treated the same. These rules are:


------ (IM section 5.1) ------
Upon receiving a presence probe from the user, the contact's server
SHOULD reply as follows: 

1. If the user is not in the contact's roster with a subscription state
of "From", "From + Pending Out", or "Both" (as defined under
Subscription States), the contact's server MUST return a presence stanza
of type "error" in response to the presence probe (however, if a server
receives a presence probe from a subdomain of the server's hostname or
another such trusted service, it MAY provide presence information about
the user to that entity). Specifically: 
	1A. if the user is in the contact's roster with a subscription
state of "None", "None + Pending Out", or "To", the contact's server
MUST return a <forbidden/> stanza error in response to the presence
probe. 
	1B. if the user is in the contact's roster with a subscription
state of "None + Pending In", "None + Pending Out/In", or "To + Pending
In", the contact's server MUST return a <not-authorized/> stanza error
in response to the presence probe. 

2. Else, if the contact is blocking presence notifications to the user's
bare JID or full JID (using either a default list or active list as
defined under Blocking Outbound Presence Notifications), the server MUST
NOT reply to the presence probe. 

3. Else, if the contact has no available resources, the server MUST
either (1) reply to the presence probe by sending to the user the full
XML of the last presence stanza of type "unavailable" received by the
server from the contact, or (2) not reply at all. 

4. Else, if the contact has at least one available resource, the server
MUST reply to the presence probe by sending to the user the full XML of
the last presence stanza received by the server from each of the
contact's available resources (again, subject to privacy rules for each
session).

Thoughts? 

-- 
Chris Mullins



More information about the Standards mailing list