[Standards] XEP-0198 and SASL-Anonymous

Matt Miller linuxwolf at outer-planes.net
Fri Jan 25 15:42:32 UTC 2013

On Jan 25, 2013, at 7:08 AM, Winfried Tilanus <winfried at tilanus.com> wrote:

> Hi,
> And now we are talking about XEP-0198, I think the security
> considerations should take some more situations in account for the
> session hijacking protection. When properly and securely authenticated,
> the authentication is enough protection against sesion hijacking. But
> when using SASL-Anonymous, the session id MUST be unpredictable AND the
> session MUST be encrypted, otherwise the session can be hijacked. Think
> it would be better to add that to the spec.

Those are good points, although transport encryption is only as trusted as the certificate in use (think of all the times we have clicked "I understand the risks"...).

I think it should also be valid for the server to prohibit stream management resumption if using SASL ANONYMOUS.

- m&m

Matthew A. Miller
< http://goo.gl/LK55L >

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2305 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20130125/164f6e7e/attachment.bin>

More information about the Standards mailing list