[Standards] XEP-0198 and SASL-Anonymous

Winfried Tilanus winfried at tilanus.com
Fri Jan 25 14:08:29 UTC 2013


Hi,

And now we are talking about XEP-0198, I think the security
considerations should take some more situations in account for the
session hijacking protection. When properly and securely authenticated,
the authentication is enough protection against sesion hijacking. But
when using SASL-Anonymous, the session id MUST be unpredictable AND the
session MUST be encrypted, otherwise the session can be hijacked. Think
it would be better to add that to the spec.

Winfried



More information about the Standards mailing list