[Standards] Re: [jdev] XEP-0115: Entity Capabilities

Ian Paterson ian.paterson at clientside.co.uk
Wed Jul 4 01:39:24 UTC 2007

Justin Karneges wrote:
> Apologies for not understanding this thread at all and just commenting out of 
> nowhere, but what security is gained by using a hash in the caps protocol?  
> If there is no security gained by using a hash (e.g. everyone has access to 
> the raw data such that they can all calculate the same hash) then what 
> difference does it make which algorithm is used?

What if the raw data is supplied by the attacker?

Imagine Eve wants to poison the caches of clients that haven't yet 
received presence from a brand new release of Psi.

If it is easy to discover collisions for the hash used by Psi, then Eve 
can send Psi's hash to a client and respond to its resulting disco 
request with a false set of features that she generated earlier. The 
false set would probably include a single unrecognizable feature whose 
'var' value could be manipulated to ensure the set has the correct hash 
value, for example:
<feature var='6e4G$h#$vFsgn*F4 at Rie$EGd#$gg73S'/>.

- Ian

More information about the Standards mailing list