From 3e8cf4d0b064b5cdaa31f77cc8493b6a5d96b6fa Mon Sep 17 00:00:00 2001 From: Peter Saint-Andre Date: Tue, 21 Aug 2012 10:06:34 -0600 Subject: [PATCH] 0.5 --- xep-0288.xml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/xep-0288.xml b/xep-0288.xml index 293f96f2..cf903d8e 100755 --- a/xep-0288.xml +++ b/xep-0288.xml @@ -33,6 +33,12 @@ dave.cridland@isode.com dave.cridland@isode.com + + 0.5 + 2012-08-21 + ph/dwd +

Defined additional security considerations about the "unsolicited dialback" attack on bidirectional connections.

 + 0.4 2012-07-23 @@ -212,7 +218,7 @@ C:

This specification introduces no security considerations above and beyond those discussed in RFC 6120 or XEP-0220. - Note that when using Server Dialback, a server must be very careful when receiving a <db:result/> of type 'valid' without having sent a corresponding request to add the domain pair given by the 'from' and 'to' attributes. In particular it MUST NOT route stanzas to the domain given in the elements 'from' attribute over this XML stream without further proof of the peers identity.

+ Note that the impact of the "unsolicited server dialback" attack described in XEP-0220 is considerably larger for bidirectional streams, e.g. a vulnerability which allows spoofing might also route messages to the wrong targets. Additionally, dialback elements with a "type" attribute also need to be handled in incoming connections.