I'm good with that. On 23 Apr 2013 13:10, "Philipp Hancke" <[email protected]> wrote:
> Am 08.04.2013 18:45, schrieb Philipp Hancke: > >> Am 19.03.2013 02:49, schrieb Kim Alvefur: >> >>> 4. Do you have any security concerns related to this specification? >>>> >>> >>> The elevation of any method of domain spoofing to also include possible >>> interception of outgoing stanzas. Mistakes by, or compromise of a CA, >>> faulty certificate validation etc might make it possible to do a MITM >>> without needing to do anything DNS related. >>> >> > [...] > > Does the following paragraph address this? "compromised" is vage on > purpose, thanks Dave. > > Note that bidirectionality may broaden the impact of an attack that allows > spoofing of XMPP stanzas (such as the "unsolicited server dialback" attack > described in XEP-0220 or the usage of compromised certificates) by > delivering stanzas to the wrong target. > > Patch attached, thanks zash. >
