On 3/5/18 12:17 AM, Jonas Wielicki wrote: > On Sonntag, 4. März 2018 19:42:39 CET Peter Saint-Andre wrote: >> On 3/4/18 10:54 AM, Jonas Wielicki wrote: >>> On Sonntag, 4. März 2018 17:02:07 CET Peter Saint-Andre wrote: >>>> If we want to specify this, I would recommend the UsernameCaseMapped >>>> profile defined in RFC 8265. >>>> >>>> However, there's a twist: if a node ID can be a full JID, then do we >>>> want to apply the normal rules of RFC 7622 to all the JID parts, instead >>>> of one uniform profile such as UsernameCaseMapped to the entire node ID? >>>> For instance, the resourcepart of a JID is allowed to contain a much >>>> wider range of Unicode characters than is allowed by the >>>> UsernameCaseMapped profile of the PRECIS IdentifierClass (which we use >>>> for the localpart). >>>> >>>> Given that a node ID can be used for authorization decisions, I think >>>> it's better to be conservative in what we accept (specifically, not >>>> allow the wider range of characters in a resourcepart because >>>> developers, and attackers, could get too "creative"). >>> >>> I would argue that adding those restrictions / any kind of string prepping >>> to XEP-0060 or XEP-0030 nodes is (a) too late and (b) ambiguous at least, >>> as you mentioned (depending on the data). >> >> I would argue that not specifying normalization rules is a security hole >> (e.g., allowing an attacker to gain unauthorized access to a node). Just >> because we should've done this years ago doesn't mean we can fix it now. > > Hm, okay, I don’t seem to understand the attack vector. Could you spell it > out > more clearly to me?
Here's a true, non-XMPP example: I have the account stpe...@gmail.com. However, Google ignores "." in the localpart. Therefore I receive some email messages intended for st.pe...@gmail.com. I could probably reset passwords (via email-based authentication) and take over other accounts associated with st.pe...@gmail.com. Similarly, let's say you create a node "foo2" at pubsub.example.com. If I know that this service decomposes superscript characters to their compatibility equivalents, I could create a node "foo²" (the last character is U+00B2 = SUPERSCRIPT TWO) and the service would consider it to be the same as "foo2". Now I can publish notifications to your node without ever trying to take over your account - I just use my "foo²" node. Here is a real-world example (using an old version of XMPP nodeprep, no less!): https://labs.spotify.com/2013/06/18/creative-usernames/ Let me know if the attack vector is still not clear. :-) Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
