[Standards] Re: [jdev] XEP-0115: Entity Capabilities

Ian Paterson ian.paterson at clientside.co.uk
Wed Jul 4 10:35:54 UTC 2007


Dave Cridland wrote:
> The hard part remains the timing issue - in order to have any value, 
> you'd need to pollute the target clients capability cache prior to it 
> discovering the real capabilities, and that's an extraordinarily short 
> time window.

It's not short if the attacker discovers the hash value of early "betas" 
of a new version of a popular client. This approach typically would 
allow a few months to find an appropriate collision (using a bot net?). 
Once found, the attacker would polute users' caches and then wait for 
the users to upgrade to the final released version of the client.

> FWIW, I lean heavily toward pre-defined sets, as I think that "good 
> clients" gain in both security and efficiency, whereas "old clients" 
> are unaffected.

Yes, the XEP could mention the possibility of "pre-defined sets" in the 
implementation issues section.

Of course clients can ship with pre-defined sets even if we depricate 
'ext'. IMHO, 'ext' offers only marginal improvements to pre-defined 
security, network traffic and cache storage space. Eliminating 'ext' 
allows us to significantly simplify client logic.

- Ian




More information about the Standards mailing list