[Standards-JIG] NEW: JEP-0170 (Recommended Order of Stream Feature Negotiation)

Jesus Cea jcea at argo.es
Wed Jan 11 19:47:53 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

JEP Editor wrote:
> Version 0.1 of JEP-0170 (Recommended Order of Stream Feature Negotiation) has been released.
> 
> Abstract: This document specifies a recommended order for negotiation of XMPP stream features.

Since compression can add a lot of overhead to the server, especially
memory, I would rather suggest to first autenticate and then negociate
compression. I imagine a trivial attact: simply open a lot of
connections to a jabber server, negociate compression and go to sleep.
Each connection can eat easily 500 Kbytes. 1000 connections eats 500
Megabytes.

In fact, *IF* the SASL modes were secure, SASL should be done first,
before TLS. If SASL mode were secure to interception and man in the
middle, of course.

I know the security issues. I'm just thinking about attacking the server
resources.

- --
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at argo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
                                      _/_/    _/_/          _/_/_/_/_/
PGP Key Available at KeyServ   _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBQ8Vg6Zlgi5GaxT1NAQLnwQP9FSsn2BKM4bKSYCA47Xc4VlOrGyVQarFi
NrRvT0i2z6i6HM2totB40ZEe12SMiO4SlyXVg6m+6hluIfs292mIxVh5GNJYEhkO
2omP9/YyDqvCbt5SBQ0QOqRrAUH11q8U0TZzka8iNbZXtt4hqQV6dCs3jCxPYciE
7c0+ROrpXTI=
=EPxN
-----END PGP SIGNATURE-----



More information about the Standards mailing list