On 13-Aug-2009, at 21:06, Peter Saint-Andre wrote:
On 8/13/09 6:45 PM, Andy Skelton wrote:
XEP-0175 1.2rc1, which states:
"After a client authenticates using the SASL ANONYMOUS mechanism, it
MUST bind a resource; the server SHOULD ignore the resource
identifier
provided by the client (if any) and instead assign a resource
identifier that it generates on behalf of the client."
Why shouldn't the server bind the resource provided by the client?
The idea (perhaps questionable) is that many or most XMPP servers
assign
all anonymous users to an account like someu...@example.com or perhaps
literally anonym...@example.com. A repeat user could then use the same
full JID over and over, like someu...@example.com/anotherUUID, to
essentially emulate a registered account. Another possible annoyance
would be to repeatedly use obnoxious resource identifiers (remember,
these are anonymous, unknown users) for spamming or personal
attacks, like:
someu...@example.com/This Is The Medicine You Need!
or
someu...@example.com/stpeter-is-an-idiot
Whether any of these attack vectors are worrisome is another matter.
I tend not to think so. In the case where a bare JID is reused (e.g.,
"anonym...@example.com") then it's acceptable to generate a resource
(thus, the SHOULD should become a MAY in the XEP), and it comes down
to a particular server implementation and how it generates bare JIDs.
In the case where the bare JID is truly unique to any given stream
then there's no reason to generate a resource.
Mostly resources are hidden from the client, and where available you
always (or should always) get the bare JID associated. Coupled with
the existing recommendations in the XEP (+ stringprep) I see no
avenues for spam/attack than already exist anyway in the protocol.
Perhaps someone can enlighten me?
The only potential downside I see is that by using a well-known
resource you leak information to others which may allow them to attack
you, but the reverse doesn't seem possible.
-bjc
