Andrew Plotkin wrote: > On Mon, 13 Oct 2008, Peter Saint-Andre wrote: > >>> c) Attacker knows full jid, and can determine if it is online. >>> >>> In principle, this is the simplest case. Aside from the above <message/> >>> attack - messages to offline full jids are processed just like those to >>> bare jids - there is also the <iq/> case - send an <iq/> and you will >>> receive either a result (user online), or an error, and by sending the >>> same <iq/> to the server, one might distinguish between online and >>> offline. >> >> There are two possible branches here: >> >> 1. Does the attacker receive different responses (e.g., a completely >> different error condition)? >> >> 2. Can the attacker differentiate between the same response from the >> server and from the client (e.g., the client includes an old 'code' >> attribute but the server does not)? > > Or the round-trip time for a server-generated error is shorter than that > for a client-generated error. (Or a client error rewritten by the server.) > > Between timing attacks and low-level formatting details (whitespace, > order of attributes), getting a server to imitate a client is a scary > minefield.
Agreed. I don't know that I think the timing attack is all that likely (given normal network latency etc.), but I do agree that jumping through these hoops for the rather picayune purpose of preventing presence leaks is overkill. Peter -- Peter Saint-Andre https://stpeter.im/