[Standards] XEP-0249: security considerations

Peter Saint-Andre stpeter at stpeter.im
Thu Jun 11 17:05:41 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The security considerations section of XEP-0249 (Direct MUC Invitations)
is void of content. I suppose that a few attacks are possible:

1. The sender of the invitation could overload the 'reason' attribute
with malicious or offensive text.

2. The sender of the invitation could use a mimicked JID (see XEP-0156)
to fool you into thinking that you are receiving an invitation from a
known or trusted entity.

3. A malicious entity could flood you with chatroom invitations.

4. A malicious entity in the middle could modify the invitation in
transit so that you are directed to a different room than intended by
the sender.

5. A malicious entity in the middle could listen in on the chatroom
invitations you send or receive.

Anything else? I don't know if we think these attacks are serious, but
we might want to mention them (or refer to other specifications that
discuss them).

Peter

- --
Peter Saint-Andre
https://stpeter.im/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoxOWUACgkQNL8k5A2w/vxDnwCgzr4K1ceL77haiZCHrnhXvfdS
NesAn2hcGhH/BOWoXK43sm8eJZORqyiW
=yM4W
-----END PGP SIGNATURE-----



More information about the Standards mailing list