[standards-jig] JEP 12 (IQ:Last) Security Concerns

Peter Saint-Andre stpeter at jabber.org
Wed Jan 21 13:55:43 UTC 2004


Yes, I plan to work on that when I go back through all the JEPs adding
error handling and such.

Peter

On Tue, Jan 20, 2004 at 10:16:32PM -0800, Chris Mullins wrote:
> 
> As it's Jepped, IQ:Last presents some very large security concerns. 
> 
> 
> Any user can query a server and discover quite a bit of data about
> another user. This is makes this less than an ideal solution. 
> 
> If we applied the XMPP rules for Presence Probes to IQ:Last, I believe
> the overall solution would be much better. The two items are very
> similar, and can largely be treated the same. These rules are:
> 
> 
> ------ (IM section 5.1) ------
> Upon receiving a presence probe from the user, the contact's server
> SHOULD reply as follows: 
> 
> 1. If the user is not in the contact's roster with a subscription state
> of "From", "From + Pending Out", or "Both" (as defined under
> Subscription States), the contact's server MUST return a presence stanza
> of type "error" in response to the presence probe (however, if a server
> receives a presence probe from a subdomain of the server's hostname or
> another such trusted service, it MAY provide presence information about
> the user to that entity). Specifically: 
> 	1A. if the user is in the contact's roster with a subscription
> state of "None", "None + Pending Out", or "To", the contact's server
> MUST return a <forbidden/> stanza error in response to the presence
> probe. 
> 	1B. if the user is in the contact's roster with a subscription
> state of "None + Pending In", "None + Pending Out/In", or "To + Pending
> In", the contact's server MUST return a <not-authorized/> stanza error
> in response to the presence probe. 
> 
> 2. Else, if the contact is blocking presence notifications to the user's
> bare JID or full JID (using either a default list or active list as
> defined under Blocking Outbound Presence Notifications), the server MUST
> NOT reply to the presence probe. 
> 
> 3. Else, if the contact has no available resources, the server MUST
> either (1) reply to the presence probe by sending to the user the full
> XML of the last presence stanza of type "unavailable" received by the
> server from the contact, or (2) not reply at all. 
> 
> 4. Else, if the contact has at least one available resource, the server
> MUST reply to the presence probe by sending to the user the full XML of
> the last presence stanza received by the server from each of the
> contact's available resources (again, subject to privacy rules for each
> session).
> 
> Thoughts? 
> 
> -- 
> Chris Mullins
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
> 

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.php




More information about the Standards mailing list