[jdev] Alternate MUC Authentication Mechanisms
Alex Milowski
alex at milowski.org
Fri Oct 22 10:30:06 CST 2010
On Fri, Oct 22, 2010 at 3:29 AM, Simon Tennant (buddycloud)
<simon at buddycloud.com> wrote:
> On 22/10/2010 04:05, Kurt Zeilenga wrote:
>>
>> So my previous suggestion was subject to a limited replay attack. In
>> particular, someone who was able to hijack the C2S, S2S, or the intermediate
>> server could do a replay. Here's another suggestion that eliminates this
>> replay attack and doesn't require any additional roadtrips.
>
> Doesn't the idea of having a shared secret between users invalidate all
> technical security measures?
>
Yes. I don't see anything about password protected room that requires
the password to be shared. I've looked over "Password-Protected
Rooms" section [1] and it doesn't say that you cant have identity
specific passwords for each registered member. I realize that isn't
what is probably expected or implemented in current servers but it
wouldn't be that hard to configure and enforce.
I my case, I think I would require the room to have specific passwords
for each member. I'm already off in a corner where I'm going to put
specific requirements on the server's implementation to ensure some
level of trust in the room traffic.
[1] http://xmpp.org/extensions/xep-0045.html#enter-pw
--
--Alex Milowski
"The excellence of grammar as a guide is proportional to the paucity of the
inflexions, i.e. to the degree of analysis effected by the language
considered."
Bertrand Russell in a footnote of Principles of Mathematics
More information about the JDev
mailing list