On Mon Oct 13 22:22:02 2008, Andrew Plotkin wrote:
On Mon, 13 Oct 2008, Peter Saint-Andre wrote:
c) Attacker knows full jid, and can determine if it is online.
In principle, this is the simplest case. Aside from the above
<message/>
attack - messages to offline full jids are processed just like
those to
bare jids - there is also the <iq/> case - send an <iq/> and you
will
receive either a result (user online), or an error, and by
sending the
same <iq/> to the server, one might distinguish between online
and offline.
There are two possible branches here:
1. Does the attacker receive different responses (e.g., a
completely
different error condition)?
2. Can the attacker differentiate between the same response from
the
server and from the client (e.g., the client includes an old 'code'
attribute but the server does not)?
Or the round-trip time for a server-generated error is shorter than
that for a client-generated error. (Or a client error rewritten by
the server.)
Timing attacks are tricky in many cases, unless you happen to be on
the same server.
Between timing attacks and low-level formatting details
(whitespace, order of attributes), getting a server to imitate a
client is a scary minefield.
Ah, no, I'm not suggesting that, I'm suggesting that servers
intercept client errors and coerce them into the form, at least
mitigating branch 2.
If a client is giving an entirely different error, the client is at
fault, or else is (apparently) intentionally revealing presence.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
