[Standards-JIG] NEW: JEP-0170 (Recommended Order of Stream Feature Negotiation)
jcea at argo.es
Wed Jan 11 19:47:53 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
JEP Editor wrote:
> Version 0.1 of JEP-0170 (Recommended Order of Stream Feature Negotiation) has been released.
> Abstract: This document specifies a recommended order for negotiation of XMPP stream features.
Since compression can add a lot of overhead to the server, especially
memory, I would rather suggest to first autenticate and then negociate
compression. I imagine a trivial attact: simply open a lot of
connections to a jabber server, negociate compression and go to sleep.
Each connection can eat easily 500 Kbytes. 1000 connections eats 500
In fact, *IF* the SASL modes were secure, SASL should be done first,
before TLS. If SASL mode were secure to interception and man in the
middle, of course.
I know the security issues. I'm just thinking about attacking the server
Jesus Cea Avion _/_/ _/_/_/ _/_/_/
jcea at argo.es http://www.argo.es/~jcea/ _/_/ _/_/ _/_/ _/_/ _/_/
_/_/ _/_/ _/_/_/_/_/
PGP Key Available at KeyServ _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Standards