[Standards] XEP-0249: security considerations
stpeter at stpeter.im
Thu Jun 11 17:05:41 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
The security considerations section of XEP-0249 (Direct MUC Invitations)
is void of content. I suppose that a few attacks are possible:
1. The sender of the invitation could overload the 'reason' attribute
with malicious or offensive text.
2. The sender of the invitation could use a mimicked JID (see XEP-0156)
to fool you into thinking that you are receiving an invitation from a
known or trusted entity.
3. A malicious entity could flood you with chatroom invitations.
4. A malicious entity in the middle could modify the invitation in
transit so that you are directed to a different room than intended by
5. A malicious entity in the middle could listen in on the chatroom
invitations you send or receive.
Anything else? I don't know if we think these attacks are serious, but
we might want to mention them (or refer to other specifications that
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Standards