Re: [Standards-JIG] Re: [jdev] Security-related thought experiment

[Robert B Quattlebaum, Jr.]

Perhaps, but it needs to be clarified that such a limit must be implemented in a very specific way. Current implementations of "max stanza size" will likely not prevent this attack from being successful because it is imposed after the stanza is parsed. This attack is targeted at the streaming XML parser. As long as there is the ability to set a limit then this attack can be thwarted.  Such a limiting mechanism should be implemented at the transport level, not at the session or presentation layers as currently implemented in most XMPP servers. While it would perhaps be a good idea to allow the server administrator the ability to disable this mechanism, I think that it should be enabled by default--perhaps set to 100k(an absurdly large size for a stanza). All of these recommendations would be enumerated and described in the proposed best-practice JEP. On Mar 27, 2006, at 7:22 AM, Vinod Panicker wrote: On 3/27/06, Robert B Quattlebaum, Jr. <[EMAIL PROTECTED]> wrote: *bump* I personally think this is a rather serious issue, perhaps warranting a "Best-practices" JEP for server developers. As XMPP becomes more and more popular, it is only a matter of time before script-kiddies start causing trouble. What I'm thinking is a JEP which describes the attack and ways to prevent it from being successful. Then it makes it easy for server authors to communicate if their server is hardened against this type of attack: "AcmeJabD 0.3 is JEP-01xx compliant"... Any thoughts? Good idea? Better solution? Am I making this out to be bigger than it actually is? <snip/> It's recommended that internet servers have a limit on the amount of data it would accept from a client as a "command".  In the case of xmpp, the server could enforce it in terms of bytes received on the connection.  Unfortunately, this would be deployment scenario based - since some deployments might require the server to accept a large number of bytes in a single stanza (assuming an extension to the protocol), while others would be happy with say a 10K limit. I think that this should be left to the server administrators to configure, but would be a good practice if servers implement this. Regards, Vinod. __________________ Robert Quattlebaum Mobile: +1(650) 223-4974 eMail:  [EMAIL PROTECTED] Jabber: [EMAIL PROTECTED] WWW:    http://www.deepdarc.com/