[Standards] Re: [jdev] XEP-0115: Entity Capabilities
Joe Hildebrand
hildjj at gmail.com
Thu Jun 28 17:19:11 CDT 2007
For those not on the standards list, see my suggestion here:
http://urltea.com/v8n
On Jun 27, 2007, at 12:31 AM, Sergei Golovan wrote:
> On 6/27/07, Joe Hildebrand <hildjj at gmail.com> wrote:
>>
>> On Jun 27, 2007, at 5:53 AM, Sergei Golovan wrote:
>>
>> > I would consider this XEP dangerous and wouldn't like to
>> implement it
>> > in Tkabber. It's too easy for malicious user to flood all contacts
>> > (and not only in his roster) by false information about all clients
>> > and versions he wants.
>> >
>> > I think that one never should apply info received from some user to
>> > other users.
>>
>> Please bring this up on the standards list if you want to talk about
>> it again, but this point has been beaten to death, I think.
>
> And the only result of these discussions is a really small note in
> 'Security consideration' section. Which really does cover a small
> portion of possible security concerns. I could imagine for example an
> attack on future software versions (where the victim can't check the
> correctness of capabilities because there's no other sources of
> information).
>
>>
>> You can always just query each user independently if you like; you
>
> I think that the XEP must not recommend to cache capabilities based
> only on reported software name and version. The more acceptable index
> is a tuple {jid, client name, client version}.
>
>> only need to check it against the cache to look for disagreement, not
>> cache each one separately.
>
> See the idea of an attack above.
>
> --
> Sergei Golovan
More information about the JDev
mailing list