[Standards] XEP-0283 Moved - Security and Usability

Georg Lukas georg at op-co.de
Fri Mar 9 16:53:27 UTC 2018

Hi together,

as part of Easy XMPP I wanted to have a way to completely migrate from
one account to another, or to be able to move a subset of your contacts
to another (local) JID. One possible side-benefit would be to get rid of
the "jabber." substring that's so prevalent in many old server
installations, and that's become obsolete with the invention of SRV

XEP-0283 "Moved" provides the signaling mechanism to make this possible,
with two "little" issues:

1) the Security Considerations spoil all the fun of automatic account

| In order to prevent other users from maliciously altering contacts the
| client SHOULD NOT automatically subscribe to a <moved/> JID when it
| receives an unsubscribe and SHOULD NOT automatically unsubscribe to a
| <moved/> JID when it receives a subscribe.

I think that if our contact proves ownership of both accounts by
publishing a <moved/> element on each, containing the respective other
JID, there should be no security problems with automatically replacing
the contact's JID on our roster.

While in theory, someone with short-term access to our account will be
able to permanently steal all our contacts, I would consider that
account as fully compromised anyway, and the attacker can well perform
any other kind of impersonation or social engineering attack they want.

2) the flow in §3.1 does an 'unsubscribe' with a payload, and most
servers won't keep that payload after processing the unsubscribe.
However, we could just set the <moved/> payload to a normal (directed or
broadcasted) presence as proof of account ownership and let the
receiving entity auto-unsubscribe once the "new" account has also
signalled the intent to move.

I'd like to resurrect the XEP, allow automatic approval of contacts' JID
changes (and maybe also invent some way to also move local/MAM history
for that contact).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20180309/ae6f5d42/attachment.sig>

More information about the Standards mailing list