[Standards] XEP-0175 1.2rc1

Peter Saint-Andre stpeter at stpeter.im
Fri Aug 14 01:06:54 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/13/09 6:45 PM, Andy Skelton wrote:

> XEP-0175 1.2rc1, which states:
> 
> "After a client authenticates using the SASL ANONYMOUS mechanism, it
> MUST bind a resource; the server SHOULD ignore the resource identifier
> provided by the client (if any) and instead assign a resource
> identifier that it generates on behalf of the client."
> 
> Why shouldn't the server bind the resource provided by the client?

The idea (perhaps questionable) is that many or most XMPP servers assign
all anonymous users to an account like someUUID at example.com or perhaps
literally anonymous at example.com. A repeat user could then use the same
full JID over and over, like someUUID at example.com/anotherUUID, to
essentially emulate a registered account. Another possible annoyance
would be to repeatedly use obnoxious resource identifiers (remember,
these are anonymous, unknown users) for spamming or personal attacks, like:

someUUID at example.com/This Is The Medicine You Need!

or

someUUID at example.com/stpeter-is-an-idiot

Whether any of these attack vectors are worrisome is another matter.

Peter

- --
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqEuK4ACgkQNL8k5A2w/vxVSACfY2w+0+s5dYAsPqXIwSWGuEam
rdsAn0HyZ0Gu+7UVFw5mGUDMattK4c7h
=JH89
-----END PGP SIGNATURE-----



More information about the Standards mailing list