[jdev] Re: XEP-0070 in PHP
Norman Rasmussen
norman at rasmussen.co.za
Thu Nov 16 04:04:20 CST 2006
On 11/15/06, Magnus Henoch <mange at freemail.hu> wrote:
> "Norman Rasmussen" <norman at rasmussen.co.za> writes:
>
> > I've been playing with OpenID and using the XEP-0070 example as a
> > source for logic. It was very irritating to have a unique resource
> > all the time because Psi loads each one in a new window.
>
> Did you try the new XEP-0070 support from SVN?
SVN? What's the link?
I've been using http://www.dtek.chalmers.se/~henoch/jabberauth/index.txt
> > While thinking about what the resource can be set to I noticed a
> > security flaw:
> >
> > - If an attacker can guess what the resource is going to be, then you
> > have a problem.
>
> Is that a problem? If so, the same should apply to a component
> sending authorization requests.
>
> As I understand it, XEP-0070 is based on the assumption that an XMPP
> address cannot be forged. As long as that holds, I think there should
> be no problem.
Actually it's just because the 'from address' isn't checked in the
sample code. Once a check for 'from address' is added it becomes far
more secure.
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the JDev
mailing list