Re: [xmpp] IQ Handling vulnerabilities
Dave Cridland <dave@cridland.net> Mon, 10 February 2014 20:56 UTC
Return-Path: <dave@cridland.net>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85D231A0869 for <xmpp@ietfa.amsl.com>; Mon, 10 Feb 2014 12:56:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CF_eOZPwZFoV for <xmpp@ietfa.amsl.com>; Mon, 10 Feb 2014 12:56:29 -0800 (PST)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id CE6531A0836 for <xmpp@ietf.org>; Mon, 10 Feb 2014 12:56:28 -0800 (PST)
Received: by mail-ob0-f179.google.com with SMTP id wo20so7814178obc.24 for <xmpp@ietf.org>; Mon, 10 Feb 2014 12:56:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xVZuyJbOLeRb0xL7U2K2zJlPNIAEHHVFUpwbaAiW5pM=; b=jG67kLIpqMprxRmemRg9gtN1c3xsuRCJ5WPUaflissAhPhiy4Xx39bP6dzCnQu2uv4 nkDzYZ8BEdmudZdsFxV2hmHGlWs+sGsV5X/XDRlgqg+zhuNLFpBdn1RtaDg4HwCEUlGR mESs7jmocEiX+/j7LlPUsfIdoXr6fS0DcIhNo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=xVZuyJbOLeRb0xL7U2K2zJlPNIAEHHVFUpwbaAiW5pM=; b=G73aFSjTfLsnTe51bP2R0R5DuUDl1znkGEkFm9Ot6KohnA6e9B1DECTswd/3Rn+z8q 1hzVGyXxeEXo3pu7HxAYub5Fb9RKHieVNA0H2D7Lh2gRP1vtfJCqtI/paPbMzBku4/B1 lC7yT9ULF3ZDvJkqsRRHlcmO739A6/FSltdvkAIuSxcK/BlvqAvCzU5VXASrInHY292n DvCxI5QMDj8IyIUV6x/Ve9C9TWv4ygqJeEjq9ZSN+B/ksVeJUqbR7YCWFjCtpY0DbniD bjWDxUluQIva8sG1EMjeBEeOo0wxHPnPESC5nWO+oGm3TnePBUwo71Pmzv+blp5uvhiA qbVA==
X-Gm-Message-State: ALoCoQnGzT30AJE99qTKqWAQSiKL++RA1Yf16fDwqFFqdZbDXvtFICSld7X1/KT4VAOvn4C7bDWd
MIME-Version: 1.0
X-Received: by 10.182.232.4 with SMTP id tk4mr29255679obc.9.1392065788278; Mon, 10 Feb 2014 12:56:28 -0800 (PST)
Received: by 10.60.55.138 with HTTP; Mon, 10 Feb 2014 12:56:28 -0800 (PST)
In-Reply-To: <CAKHUCzzv0Eeh6mnohci4apsAMsajHHJ7oszikeLQZtpkPQiucw@mail.gmail.com>
References: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com> <CF194491.38AD3%jhildebr@cisco.com> <2F5E925F-021D-408E-91D9-3CC5BEB6BEC6@nostrum.com> <48F4D361-4403-47E6-862D-FBDDDEBCC642@xnyhps.nl> <CF1A369C.38BE2%jhildebr@cisco.com> <CAKHUCzyCwKbmnUoXLHW=XzYbiFrcg-dQsDojGUnA-_r3qK+_Vg@mail.gmail.com> <CF1A4928-54B5-4A95-9A4B-0EC572A3CDBD@cisco.com> <CF1E56C5.38F45%jhildebr@cisco.com> <1078DA63-EB0B-4724-A4DA-BA1B5C4FE4EC@xnyhps.nl> <CF1E771D.38FA7%jhildebr@cisco.com> <CAKHUCzzv0Eeh6mnohci4apsAMsajHHJ7oszikeLQZtpkPQiucw@mail.gmail.com>
Date: Mon, 10 Feb 2014 20:56:28 +0000
Message-ID: <CAKHUCzwFxx-xOzVyYFzGdf_MBrgaWOAdWUQq2O3X3ADNCqivcQ@mail.gmail.com>
From: Dave Cridland <dave@cridland.net>
To: "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>
Content-Type: multipart/alternative; boundary="f46d0445178fd11acf04f2139263"
Cc: Ben Campbell <ben@nostrum.com>, XMPP Working Group <xmpp@ietf.org>
Subject: Re: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 20:56:30 -0000
On Mon, Feb 10, 2014 at 8:22 PM, Dave Cridland <dave@cridland.net> wrote: > The advantage here isn't really in the <iq/> case we've been mostly > discussing, but the other cases of a returned id - since we don't want to > track outbound directed presence, or message, ids for an arbitrary length > of time. (I assume). > > Just to summarize a chat I had with Joe on this; neither of us can immediately think of any attack based on bounced presence or message, but no doubt Thijs will ruin my complacency. There's no need, even if such an attack exists, to actually mandate a particular format or generation strategy, of course - there's no interop need here - but a recommendation along the lines of XEP-0185 might be useful. Dave.
- Re: [xmpp] IQ Handling vulnerabilities Philipp Hancke
- [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Matt Miller
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Ben Campbell
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Waqas Hussain
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Ben Campbell
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Waqas Hussain
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Ashley Ward
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Ashley Ward
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)