Thu, 08 Mar 2018 08:51:26 +0100 Jonas Wielicki <jo...@wielicki.name> wrote:
> How many XMPP clients have you seen which were owned by Billion > Laughs (which uses entities which are explicitly forbidden in RFC6120 > and trivial to turn off in all XML parsers I’ve seen so far) compared > to the amount of XMPP clients Sam has found which were vulnerable to > XHTML-IM XSS attacks? I think the comparison might not hold up, but > I’m open for data. (Likewise for any other XML vulnerability.) I don't know, I didn't count and not going to count them for you. Kids these days might not remember, but Billion Laughs was pretty serious vulnerability despite being well known with several implementations affected. So new XMPP implementations might be vulnerable just easily. > Also, XML vulnerabilities are both well-known and easy to test > against (in the sense: it is easy to write an automated test which > ensures that code is not vulnerable). And where are those tests? > I don’t think that’s so trivial with XSS attacks. During the > XHTML-IM debate I learnt that even CSS can be an XSS vector (in some > really broken implementations Sure, and were there debates of possible XML security holes? So the comparison is not quite fair. Not to mention that it's a logical fallacy to speculate about possible vulnerabilities: one can say everything might have security issues. > In contrast to XML, XHTML-IM is a custom thing which needs to be re- > implemented in ~every client. Well-known XML libraries exist for most > languages (even if they only FFI to libxml2 or libexpat). Well-known XML libraries didn't protect from Billion Laughs attack. Not sure what this argument is for. TL;DR: I conclude that the only argument is that XML is a bit more secure (with possibly less possible holes, lol). So, as I thought, this is purely a matter of personal choice and not a technical decision, that's why we debated about it so much. _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
