[Standards-JIG] rfc3921bis, <iq><service-unavailable/>

Ian Paterson ian.paterson at clientside.co.uk
Mon Oct 23 09:33:57 UTC 2006

Justin Karneges wrote:
> On Sunday 22 October 2006 6:43 am, Ian Paterson wrote:
>> Section 8.1 of RFC3921bis (Inbound Stanzas) simply states that the
>> server must "return a <service-unavailable/> stanza error". IMHO, to
>> avoid presence leaks the document needs to specify the exact character
>> string that the server MUST return. Otherwise it will be difficult for a
>> client to pretend to an observant non-subscriber that it is offline (or
>> that its user's account may not even exist).
> It seems like you could do a timing attack even, by comparing the roundtrip 
> for a subscriber vs non-subscriber.

Good point. Perhaps the Security Considerations section could helpfully 
point this out, and recommend that servers make this attack much more 
difficult by introducing a delay that is consistent with a round trip to 
a (or the) client whenever they generate a <service-unavailable/>.

> Rather than having to craft the same message as your server would send, or 
> having the server reformat one you send, why not have the server respond for 
> you?

Interesting... how would the server know when it should respond for me? 
(In cases where an <iq/> from a non-subscriber is addressed to one of my 
available resources.)

- Ian

More information about the Standards mailing list