On 6/27/07, Joe Hildebrand <[EMAIL PROTECTED]> wrote:
On Jun 27, 2007, at 5:53 AM, Sergei Golovan wrote:
> I would consider this XEP dangerous and wouldn't like to implement it
> in Tkabber. It's too easy for malicious user to flood all contacts
> (and not only in his roster) by false information about all clients
> and versions he wants.
>
> I think that one never should apply info received from some user to
> other users.
Please bring this up on the standards list if you want to talk about
it again, but this point has been beaten to death, I think.
And the only result of these discussions is a really small note in
'Security consideration' section. Which really does cover a small
portion of possible security concerns. I could imagine for example an
attack on future software versions (where the victim can't check the
correctness of capabilities because there's no other sources of
information).
You can always just query each user independently if you like; you
I think that the XEP must not recommend to cache capabilities based
only on reported software name and version. The more acceptable index
is a tuple {jid, client name, client version}.
only need to check it against the cache to look for disagreement, not
cache each one separately.
See the idea of an attack above.
--
Sergei Golovan
