On Sat, Feb 1, 2014 at 11:54 AM, Alexander Holler <[email protected]> wrote: > I don't consider the id (or even the resource name as mentioned in another > mail) as part of the security concept of XMPP.
I think people probably should. Non-random resources are a great source of presence leaks. Non-random ids leak a very small amount of information, but they do leak information (when receiving a stanza you can predict where in the life of a stream a client is). This is outside the scope of the vulnerability of libraries that don't do proper id/target matching, although those libraries that use random ids are /much/ less vulnerable to the issue in question. /K _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
