[Standards-JIG] rfc3921bis, <iq><service-unavailable/>
ian.paterson at clientside.co.uk
Mon Oct 23 09:33:57 UTC 2006
Justin Karneges wrote:
> On Sunday 22 October 2006 6:43 am, Ian Paterson wrote:
>> Section 8.1 of RFC3921bis (Inbound Stanzas) simply states that the
>> server must "return a <service-unavailable/> stanza error". IMHO, to
>> avoid presence leaks the document needs to specify the exact character
>> string that the server MUST return. Otherwise it will be difficult for a
>> client to pretend to an observant non-subscriber that it is offline (or
>> that its user's account may not even exist).
> It seems like you could do a timing attack even, by comparing the roundtrip
> for a subscriber vs non-subscriber.
Good point. Perhaps the Security Considerations section could helpfully
point this out, and recommend that servers make this attack much more
difficult by introducing a delay that is consistent with a round trip to
a (or the) client whenever they generate a <service-unavailable/>.
> Rather than having to craft the same message as your server would send, or
> having the server reformat one you send, why not have the server respond for
Interesting... how would the server know when it should respond for me?
(In cases where an <iq/> from a non-subscriber is addressed to one of my
More information about the Standards