On Fri, Oct 22, 2010 at 3:29 AM, Simon Tennant (buddycloud) <[email protected]> wrote: > On 22/10/2010 04:05, Kurt Zeilenga wrote: >> >> So my previous suggestion was subject to a limited replay attack. In >> particular, someone who was able to hijack the C2S, S2S, or the intermediate >> server could do a replay. Here's another suggestion that eliminates this >> replay attack and doesn't require any additional roadtrips. > > Doesn't the idea of having a shared secret between users invalidate all > technical security measures? >
Yes. I don't see anything about password protected room that requires the password to be shared. I've looked over "Password-Protected Rooms" section [1] and it doesn't say that you cant have identity specific passwords for each registered member. I realize that isn't what is probably expected or implemented in current servers but it wouldn't be that hard to configure and enforce. I my case, I think I would require the room to have specific passwords for each member. I'm already off in a corner where I'm going to put specific requirements on the server's implementation to ensure some level of trust in the room traffic. [1] http://xmpp.org/extensions/xep-0045.html#enter-pw -- --Alex Milowski "The excellence of grammar as a guide is proportional to the paucity of the inflexions, i.e. to the degree of analysis effected by the language considered." Bertrand Russell in a footnote of Principles of Mathematics _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
