[Standards] XEP-0175 1.2rc1
stpeter at stpeter.im
Fri Aug 14 01:06:54 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
On 8/13/09 6:45 PM, Andy Skelton wrote:
> XEP-0175 1.2rc1, which states:
> "After a client authenticates using the SASL ANONYMOUS mechanism, it
> MUST bind a resource; the server SHOULD ignore the resource identifier
> provided by the client (if any) and instead assign a resource
> identifier that it generates on behalf of the client."
> Why shouldn't the server bind the resource provided by the client?
The idea (perhaps questionable) is that many or most XMPP servers assign
all anonymous users to an account like someUUID at example.com or perhaps
literally anonymous at example.com. A repeat user could then use the same
full JID over and over, like someUUID at example.com/anotherUUID, to
essentially emulate a registered account. Another possible annoyance
would be to repeatedly use obnoxious resource identifiers (remember,
these are anonymous, unknown users) for spamming or personal attacks, like:
someUUID at example.com/This Is The Medicine You Need!
someUUID at example.com/stpeter-is-an-idiot
Whether any of these attack vectors are worrisome is another matter.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Standards