[Standards-JIG] NEW: JEP-0165 (Prevention of JID Spoofing)
m at tthias.net
Thu Nov 17 10:38:54 UTC 2005
Maciek Niedzielski schrieb:
>Peter, maybe you want some more ways to mimic your jid?
There was a reply to this, that this sould be normalized by stringprep.
– I already deleted this reply, so I will answer to this one.
Normalizing by stringprep could be another problem, that can be used to
mimic messages of other people: We still have many servers on the
network, that do not use stringprep. On these servers you can register
accounts, that would get normalized to usernames, that are already used.
If the user of such an account will send a message to a user of a
server, that used stringprep and that normalizes all incoming messages
on s2s, the message will be delivered as it would be from the other user.
Server a.examp1e.com does not use stringprep and has a user
stpeter at a.examp1e.com. Someone else that wants to send messages looking
like being from this user, could register the account
When this second user sends a message to maciek at b.example.com (and
b.example.com uses stringprep on incoming messages), the message would
arrive as being sent be stpeter at a.examp1e.com.
More information about the Standards