[Standards] XEP-0198 and SASL-Anonymous

Matt Miller linuxwolf at outer-planes.net
Fri Jan 25 15:42:32 UTC 2013


On Jan 25, 2013, at 7:08 AM, Winfried Tilanus <winfried at tilanus.com> wrote:

> Hi,
> 
> And now we are talking about XEP-0198, I think the security
> considerations should take some more situations in account for the
> session hijacking protection. When properly and securely authenticated,
> the authentication is enough protection against sesion hijacking. But
> when using SASL-Anonymous, the session id MUST be unpredictable AND the
> session MUST be encrypted, otherwise the session can be hijacked. Think
> it would be better to add that to the spec.
> 

Those are good points, although transport encryption is only as trusted as the certificate in use (think of all the times we have clicked "I understand the risks"...).

I think it should also be valid for the server to prohibit stream management resumption if using SASL ANONYMOUS.


- m&m

Matthew A. Miller
< http://goo.gl/LK55L >

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2305 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20130125/164f6e7e/attachment.bin>


More information about the Standards mailing list