Co-author of XEP-0156 here.
Thanks for raising this issue.
I would go even farther and note that DNS TXT records were never a great
idea for this functionality (they're actively discouraged in the DNS
community for application-level uses like this).
On 2/9/22 4:29 PM, Travis Burtrum wrote:
Hi all,
The long story short (is outside of DNSSEC) it's impossible to use
_xmppconnect TXT records to securely connect to BOSH or WebSockets.
Every client I've been able to find that supported this is vulnerable to
trivial MITM (Man-In-The-Middle) via DNS spoofing. If you have a client
that uses it, switch to grabbing host-meta via HTTPS per [RFC-7395]
immediately, maybe grab a CVE if you wish.
Sonny commented on your PR that "RFC 7395 doesn't define bosh lookups";
this might be true but that raises the issue of whether we should still
recommend BOSH, since it was a pre-websockets workaround for long polling.
I propose we litter [XEP-0156] with warnings explaining why it's
insecure and should never be done, and obsolete it, instead referring
people to the single host-meta method that [RFC-7395] defines, which
provides secure delegation when grabbed over HTTPS.
In general, +1 to what you propose.
Peter
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
_______________________________________________
