[Standards] XEP-0138: security considerations

SM sm at resistor.net
Sat Apr 26 00:58:10 UTC 2014


Hi Peter,
At 16:18 08-04-2014, Peter Saint-Andre wrote:
>Before we released the security note about application-layer 
>compression last week [1] (which now seems to have been overshadowed 
>by the heartbleed bug in OpenSSL), I started to work on some updates 
>to XEP-0138. Here is my proposed text for the Security Considerations section:

When I read the advisory I was reminded of an old issue which caused 
a similar Denial of Service attack.  I wondered why we did not learn 
anything from the past.  Anyway, some of the suggested guidelines are 
to leave it to the administrator to turn on compression and setting 
defaults to avoid high resource consumption.  Shouldn't that be 
addressed at the TLS level as it provides the functionality, with a 
relevant pointer in XEP-0138 so that the warning is not overlooked?

Regards,
-sm 




More information about the Standards mailing list