On 22/10/2010 04:05, Kurt Zeilenga wrote:
So my previous suggestion was subject to a limited replay attack. In
particular, someone who was able to hijack the C2S, S2S, or the intermediate
server could do a replay. Here's another suggestion that eliminates this
replay attack and doesn't require any additional roadtrips.
Doesn't the idea of having a shared secret between users invalidate all
technical security measures?
Traffic can be intercepted, replayed and whatever... but sharing a
secret between users as a way to access a common resource without a
per-user audit trail, seems like something that should never fly in the
first place. Especially not in 2010.
If your MUC's content is really so sekrit, permission on jids, not using
a shared secret. Shared secrets should really just be deprecated IMHO.
S.
--
Simon Tennant
mobile: +49 17 8545 0880
office: +44 20 7043 6756
office: +49 89 4209 55854
channel:http://buddycloud.com/user/buddycloud.com/simon
xmpp:[email protected]
mailto:[email protected]
_______________________________________________
JDev mailing list
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: [email protected]
_______________________________________________
