On Mon, 13 Oct 2008, Peter Saint-Andre wrote:
c) Attacker knows full jid, and can determine if it is online.
In principle, this is the simplest case. Aside from the above <message/>
attack - messages to offline full jids are processed just like those to
bare jids - there is also the <iq/> case - send an <iq/> and you will
receive either a result (user online), or an error, and by sending the
same <iq/> to the server, one might distinguish between online and offline.
There are two possible branches here:
1. Does the attacker receive different responses (e.g., a completely
different error condition)?
2. Can the attacker differentiate between the same response from the
server and from the client (e.g., the client includes an old 'code'
attribute but the server does not)?
Or the round-trip time for a server-generated error is shorter than that
for a client-generated error. (Or a client error rewritten by the server.)
Between timing attacks and low-level formatting details (whitespace, order
of attributes), getting a server to imitate a client is a scary minefield.
--Z
--
"And Aholibamah bare Jeush, and Jaalam, and Korah: these were the borogoves..."
*
Don't you think McCain looks tired?
