[Standards-JIG] NEW: JEP-0165 (Prevention of JID Spoofing)

Matthias Wimmer m at tthias.net
Thu Nov 17 10:38:54 UTC 2005


Maciek Niedzielski schrieb:

>Peter, maybe you want some more ways to mimic your jid?
>
>stpeter@jabber.org
>STPETER@JABBER.ORG
>  
>

There was a reply to this, that this sould be normalized by stringprep. 
– I already deleted this reply, so I will answer to this one.

Normalizing by stringprep could be another problem, that can be used to 
mimic messages of other people: We still have many servers on the 
network, that do not use stringprep. On these servers you can register 
accounts, that would get normalized to usernames, that are already used.
If the user of such an account will send a message to a user of a 
server, that used stringprep and that normalizes all incoming messages 
on s2s, the message will be delivered as it would be from the other user.

E.g.:

Server a.examp1e.com does not use stringprep and has a user 
stpeter at a.examp1e.com. Someone else that wants to send messages looking 
like being from this user, could register the account 
stpeter@a.examp1e.com.
When this second user sends a message to maciek at b.example.com (and 
b.example.com uses stringprep on incoming messages), the message would 
arrive as being sent be stpeter at a.examp1e.com.


Matthias



More information about the Standards mailing list