[Standards] XEP-0283 Moved - Security and Usability

Maxime Buquet pep at bouah.net
Sun Mar 11 09:50:38 UTC 2018


On 2018/03/09, Georg Lukas wrote:
> 1) the Security Considerations spoil all the fun of automatic account
> transfers:
> 
> | In order to prevent other users from maliciously altering contacts the
> | client SHOULD NOT automatically subscribe to a <moved/> JID when it
> | receives an unsubscribe and SHOULD NOT automatically unsubscribe to a
> | <moved/> JID when it receives a subscribe.
> 
> I think that if our contact proves ownership of both accounts by
> publishing a <moved/> element on each, containing the respective other
> JID, there should be no security problems with automatically replacing
> the contact's JID on our roster.
> 
> While in theory, someone with short-term access to our account will be
> able to permanently steal all our contacts, I would consider that
> account as fully compromised anyway, and the attacker can well perform
> any other kind of impersonation or social engineering attack they want.

I'm all in favour for this!

-- 
Maxime “pep” Buquet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20180311/33d9e894/attachment.sig>


More information about the Standards mailing list