On Sat, Oct 22, 2022 at 11:28:26PM +0200, Thilo Molitor wrote:
That does not come without a cost, though: attackers could use this information to determine which accounts are present on the server and maybe even fingerprint which software might be used. Because of this, we suggest multiple counter-measures in the Security Considerations of SASL2: https://dyn.eightysoft.de/final/xep-0388.html#security Namely randomizing the provided mechanisms for not-existing accounts and rate- limiting.
I don't believe randomizing mechanisms helps. An attacker can simply connect multiple times and check if things vary or stay the same. And given that attackers have unlimited IP addressees via proxies or compromised machines, I don't think rate limiting helps much either. On the other hand, I'm not sure anyone cares enough to really do this kind of thing, there are probably much easier ways to check if an account exists. I would likely just pick one "common" set of mechanisms to offer for unknown accounts, or seed the randomization with something relatively stable. -- Regards, Kim "Zash" Alvefur _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
