Re: [xmpp] IQ Handling vulnerabilities

Dave Cridland <dave@cridland.net> Mon, 10 February 2014 20:56 UTC

Return-Path: <dave@cridland.net>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85D231A0869 for <xmpp@ietfa.amsl.com>; Mon, 10 Feb 2014 12:56:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CF_eOZPwZFoV for <xmpp@ietfa.amsl.com>; Mon, 10 Feb 2014 12:56:29 -0800 (PST)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id CE6531A0836 for <xmpp@ietf.org>; Mon, 10 Feb 2014 12:56:28 -0800 (PST)
Received: by mail-ob0-f179.google.com with SMTP id wo20so7814178obc.24 for <xmpp@ietf.org>; Mon, 10 Feb 2014 12:56:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xVZuyJbOLeRb0xL7U2K2zJlPNIAEHHVFUpwbaAiW5pM=; b=jG67kLIpqMprxRmemRg9gtN1c3xsuRCJ5WPUaflissAhPhiy4Xx39bP6dzCnQu2uv4 nkDzYZ8BEdmudZdsFxV2hmHGlWs+sGsV5X/XDRlgqg+zhuNLFpBdn1RtaDg4HwCEUlGR mESs7jmocEiX+/j7LlPUsfIdoXr6fS0DcIhNo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=xVZuyJbOLeRb0xL7U2K2zJlPNIAEHHVFUpwbaAiW5pM=; b=G73aFSjTfLsnTe51bP2R0R5DuUDl1znkGEkFm9Ot6KohnA6e9B1DECTswd/3Rn+z8q 1hzVGyXxeEXo3pu7HxAYub5Fb9RKHieVNA0H2D7Lh2gRP1vtfJCqtI/paPbMzBku4/B1 lC7yT9ULF3ZDvJkqsRRHlcmO739A6/FSltdvkAIuSxcK/BlvqAvCzU5VXASrInHY292n DvCxI5QMDj8IyIUV6x/Ve9C9TWv4ygqJeEjq9ZSN+B/ksVeJUqbR7YCWFjCtpY0DbniD bjWDxUluQIva8sG1EMjeBEeOo0wxHPnPESC5nWO+oGm3TnePBUwo71Pmzv+blp5uvhiA qbVA==
X-Gm-Message-State: ALoCoQnGzT30AJE99qTKqWAQSiKL++RA1Yf16fDwqFFqdZbDXvtFICSld7X1/KT4VAOvn4C7bDWd
MIME-Version: 1.0
X-Received: by 10.182.232.4 with SMTP id tk4mr29255679obc.9.1392065788278; Mon, 10 Feb 2014 12:56:28 -0800 (PST)
Received: by 10.60.55.138 with HTTP; Mon, 10 Feb 2014 12:56:28 -0800 (PST)
In-Reply-To: <CAKHUCzzv0Eeh6mnohci4apsAMsajHHJ7oszikeLQZtpkPQiucw@mail.gmail.com>
References: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com> <CF194491.38AD3%jhildebr@cisco.com> <2F5E925F-021D-408E-91D9-3CC5BEB6BEC6@nostrum.com> <48F4D361-4403-47E6-862D-FBDDDEBCC642@xnyhps.nl> <CF1A369C.38BE2%jhildebr@cisco.com> <CAKHUCzyCwKbmnUoXLHW=XzYbiFrcg-dQsDojGUnA-_r3qK+_Vg@mail.gmail.com> <CF1A4928-54B5-4A95-9A4B-0EC572A3CDBD@cisco.com> <CF1E56C5.38F45%jhildebr@cisco.com> <1078DA63-EB0B-4724-A4DA-BA1B5C4FE4EC@xnyhps.nl> <CF1E771D.38FA7%jhildebr@cisco.com> <CAKHUCzzv0Eeh6mnohci4apsAMsajHHJ7oszikeLQZtpkPQiucw@mail.gmail.com>
Date: Mon, 10 Feb 2014 20:56:28 +0000
Message-ID: <CAKHUCzwFxx-xOzVyYFzGdf_MBrgaWOAdWUQq2O3X3ADNCqivcQ@mail.gmail.com>
From: Dave Cridland <dave@cridland.net>
To: "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>
Content-Type: multipart/alternative; boundary=f46d0445178fd11acf04f2139263
Cc: Ben Campbell <ben@nostrum.com>, XMPP Working Group <xmpp@ietf.org>
Subject: Re: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 20:56:30 -0000

On Mon, Feb 10, 2014 at 8:22 PM, Dave Cridland <dave@cridland.net> wrote:

> The advantage here isn't really in the <iq/> case we've been mostly
> discussing, but the other cases of a returned id - since we don't want to
> track outbound directed presence, or message, ids for an arbitrary length
> of time. (I assume).
>
>
Just to summarize a chat I had with Joe on this; neither of us can
immediately think of any attack based on bounced presence or message, but
no doubt Thijs will ruin my complacency. There's no need, even if such an
attack exists, to actually mandate a particular format or generation
strategy, of course - there's no interop need here - but a recommendation
along the lines of XEP-0185 might be useful.

Dave.