[Standards] XEP-0283 Moved - Security and Usability
pep at bouah.net
Sun Mar 11 09:50:38 UTC 2018
On 2018/03/09, Georg Lukas wrote:
> 1) the Security Considerations spoil all the fun of automatic account
> | In order to prevent other users from maliciously altering contacts the
> | client SHOULD NOT automatically subscribe to a <moved/> JID when it
> | receives an unsubscribe and SHOULD NOT automatically unsubscribe to a
> | <moved/> JID when it receives a subscribe.
> I think that if our contact proves ownership of both accounts by
> publishing a <moved/> element on each, containing the respective other
> JID, there should be no security problems with automatically replacing
> the contact's JID on our roster.
> While in theory, someone with short-term access to our account will be
> able to permanently steal all our contacts, I would consider that
> account as fully compromised anyway, and the attacker can well perform
> any other kind of impersonation or social engineering attack they want.
I'm all in favour for this!
Maxime “pep” Buquet
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the Standards