On 25.01.2012 09:30, Mike Wacker wrote:
I saw this in RFC 6120:
"To reduce the possibility of a denial-of-service attack, (a) the
receiving entity SHOULD NOT close the stream with a <see-other-host/>
stream error until after the confidentiality and integrity of the
stream have been protected via TLS or an equivalent security layer
(such as the SASL GSSAPI mechanism), and (b) the receiving entity MAY
have a policy of following redirects only if it has authenticated the
receiving entity. In addition, the initiating entity SHOULD abort the
connection attempt after a certain number of successive redirects
(e.g., at least 2 but no more than 5)."
Does anyone have any clarification to this section and the specific
DoS threat if TLS (or authentication) does not happen before
<see-other-host>?
Indeed, what problem could occur with unauthenticated redirections?
--
Regards,
Evgeniy Khramtsov, ProcessOne.
xmpp:[email protected].
