[Standards-JIG] rfc3921bis, <iq><service-unavailable/>

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Sun Oct 22 23:31:49 UTC 2006


On Sunday 22 October 2006 6:43 am, Ian Paterson wrote:
> Section 8.1 of RFC3921bis (Inbound Stanzas) simply states that the
> server must "return a <service-unavailable/> stanza error". IMHO, to
> avoid presence leaks the document needs to specify the exact character
> string that the server MUST return. Otherwise it will be difficult for a
> client to pretend to an observant non-subscriber that it is offline (or
> that its user's account may not even exist).

It seems like you could do a timing attack even, by comparing the roundtrip 
for a subscriber vs non-subscriber.

Rather than having to craft the same message as your server would send, or 
having the server reformat one you send, why not have the server respond for 
you?

-Justin



More information about the Standards mailing list