On 11/15/06, Magnus Henoch <[EMAIL PROTECTED]> wrote:
"Norman Rasmussen" <[EMAIL PROTECTED]> writes:
> I've been playing with OpenID and using the XEP-0070 example as a
> source for logic. It was very irritating to have a unique resource
> all the time because Psi loads each one in a new window.
Did you try the new XEP-0070 support from SVN?
SVN? What's the link?
I've been using http://www.dtek.chalmers.se/~henoch/jabberauth/index.txt
> While thinking about what the resource can be set to I noticed a
> security flaw:
>
> - If an attacker can guess what the resource is going to be, then you
> have a problem.
Is that a problem? If so, the same should apply to a component
sending authorization requests.
As I understand it, XEP-0070 is based on the assumption that an XMPP
address cannot be forged. As long as that holds, I think there should
be no problem.
Actually it's just because the 'from address' isn't checked in the
sample code. Once a check for 'from address' is added it becomes far
more secure.
--
- Norman Rasmussen
- Email: [EMAIL PROTECTED]
- Home page: http://norman.rasmussen.co.za/
