[jdev] Alternate MUC Authentication Mechanisms
Simon Tennant (buddycloud)
simon at buddycloud.com
Fri Oct 22 04:29:38 CST 2010
On 22/10/2010 04:05, Kurt Zeilenga wrote:
> So my previous suggestion was subject to a limited replay attack. In particular, someone who was able to hijack the C2S, S2S, or the intermediate server could do a replay. Here's another suggestion that eliminates this replay attack and doesn't require any additional roadtrips.
Doesn't the idea of having a shared secret between users invalidate all
technical security measures?
Traffic can be intercepted, replayed and whatever... but sharing a
secret between users as a way to access a common resource without a
per-user audit trail, seems like something that should never fly in the
first place. Especially not in 2010.
If your MUC's content is really so sekrit, permission on jids, not using
a shared secret. Shared secrets should really just be deprecated IMHO.
S.
--
Simon Tennant
mobile: +49 17 8545 0880
office: +44 20 7043 6756
office: +49 89 4209 55854
channel:http://buddycloud.com/user/buddycloud.com/simon
xmpp:simon at buddycloud.com
mailto:simon at buddycloud.com
More information about the JDev
mailing list