On 2014-12-19 15:24, Peter Viskup wrote: > Hi all, > thought it would be interesting to the audience of this mailinglist. > > http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html > > Best regards, >
Someone suggested that JIDs leaked in this incident might be what fueled the recent directed spam wave. I had actually forgotten this thread, but found it again after some searching. The original thread went on to discuss SCRAM for password security, but gave no thought to what else of value might have leaked. Since everyone seems to have been hit by spam, even people who don't have their JIDs posted on wiki.xmpp.org, some kind of compromise seems very likely, and the jabbim one might be it (or at least one possible source). So what can we do? I suspect anything that has any effect will come at a price. We could start requiring presence subscriptions for sending messages, which would decrease the value of just having a large list of JIDs, but sometimes you want to say something to someone once without giving them all your presence. And spammers will likely turn to spamming with subscription requests instead, as reported by Google a couple of years ago. -- Kim "Zash" Alvefur
signature.asc
Description: OpenPGP digital signature
