diff --git a/xep-0165.xml b/xep-0165.xml index 12d553ec..f4256674 100644 --- a/xep-0165.xml +++ b/xep-0165.xml @@ -6,8 +6,8 @@
- Prevention of JID Spoofing - This document recommends best practices to prevent the spoofing of Jabber IDs. + Best Practices to Prevent JID Mimicking + This document recommends best practices to prevent mimicking of Jabber IDs. &LEGALNOTICE; 0165 Experimental @@ -23,6 +23,12 @@ N/A &stpeter; + + 0.4 + 2006-12-20 + psa +

Explicitly limited scope to address mimicking rather than address forging; updated to use XEP-0189 syntax for keys.

 + 0.3 2006-06-10 @@ -56,35 +62,35 @@

There are two forms of address spoofing: forging and mimicking.

-

In the context of Jabber technologies, an address is forged when an entity is able to generate an XML stanza whose 'from' address does not correspond to the account credentials with which the entity authenticated onto the network -- for example, if an entity authenticated as "stpeter@jabber.org" is able to send XML stanzas from "MaineBoy@jabber.org" or "peter@saint-andre.com".

+

In the context of Jabber/XMPP technologies, an address is forged when an entity is able to generate an XML stanza whose 'from' address does not correspond to the account credentials with which the entity authenticated onto the network -- for example, if an entity that authenticated as "stpeter@jabber.org" is able to send XML stanzas from "MaineBoy@jabber.org" or "peter@saint-andre.com".

An address is mimicked when an entity provides legitimate authentication credentials for and sends XML stanzas from an account whose Jabber ID (JID) appears to a human user to be the same as another JID -- for example, in some clients "paypa1@jabber.org" (spelled with the number one as the final character of the node identifier) may appear to be the same as "paypal@jabber.org (spelled with the lower-case version of the letter "L"). This phenomenon is sometimes called "typejacking". A more sophisticated example of address mimicking (which may not render correctly in all browsers) is the following:

-ᏚᎢᎵᎬᎢᎬᏒ@ᎫᎪᏴᏴᎬᏒ.org - + ᏚᎢᎵᎬᎢᎬᏒ@ᎫᎪᏴᏴᎬᏒ.org

That JID is not an uppercase version of "stpeter@jabber.org" in US-ASCII characters, but a fake JID made up mostly of Cherokee characters, namely:

- U+13DA U+13A2 U+13B5 U+13AC U+13A2 U+13AC U+13D2 + + U+13DA U+13A2 U+13B5 U+13AC U+13A2 U+13AC U+13D2 @ U+13AB U+13AA U+13F4 U+13F4 U+13AC U+13D2 .org

In this example, it is unlikely that the average user could tell the difference between the real JID and the fake JID. Naturally, there is no way to distinguish with full certainty which is the fake JID and which is the real JID. For example, in some communication contexts, the Cherokee JID may be the real JID and the US-ASCII JID may thus appear to be the fake JID.

-

Traditionally, forging of JIDs has been very difficult in Jabber/XMPP systems given the requirement for servers to stamp 'from' addresses and for servers to verify sending domains via server dialback or server-to-server authentication (see &rfc3920;). However, it may be relatively easy to mimic (some) JIDs in Jabber/XMPP systems, especially because JIDs can contain almost any Unicode character. The possibility of address mimicking introduces security vulnerabilities of the kind that have also plagued the World Wide Web, specifically the phenomenon known as phishing. Phishing has been defined as "a broadly launched social engineering attack in which an electronic identity is misrepresented in an attempt to trick individuals into revealing personal credentials that can be used fraudulently against them" (see Financial Services Technology Consortium Counter-Phishing Initiative: Phase I). To be precise, the current document (1) does not assume that such attacks will be broadly launched and (2) focuses on the misrepresentation of Jabber IDs (not any other identifiers) within the context of Jabber/XMPP systems.

-

To combat those vulnerabilities, this document recommends a set of best practices to minimize the potential impact of address mimicking on the Jabber/XMPP network. This document does not cover handling of non-XMPP addresses, for example HTTP URLs. Jabber/XMPP clients SHOULD handle such addresses in accordance with best practices for the relevant non-XMPP technology.

+

Traditionally, forging of JIDs has been very difficult in Jabber/XMPP systems given the requirement for sending servers to stamp 'from' addresses and for receiving servers to verify sending domains via server dialback or server-to-server authentication (see &rfc3920;). Difficult, but not impossible: a rogue server could forge JIDs at the sending domain by ignoring the stamping requirement and could even forge JIDs at other domains by means of a DNS poisoning attack. However, discussion of ways to deal with such rogue servers is out of scope for this document.

+

By contrast, it may be relatively easy to mimic (some) JIDs in Jabber/XMPP systems, especially because JIDs can contain almost any Unicode character. The possibility of address mimicking introduces security vulnerabilities of the kind that have also plagued the World Wide Web, specifically the phenomenon known as phishing. Phishing has been defined as "a broadly launched social engineering attack in which an electronic identity is misrepresented in an attempt to trick individuals into revealing personal credentials that can be used fraudulently against them" (see Financial Services Technology Consortium Counter-Phishing Initiative: Phase I). To be precise, the current document (1) does not assume that such attacks will be broadly launched and (2) focuses on the misrepresentation of Jabber IDs (not any other identifiers) within the context of Jabber/XMPP systems. To combat those vulnerabilities, this document recommends a set of best practices to minimize the potential impact of address mimicking on the Jabber/XMPP network. This document does not cover handling of non-XMPP addresses, for example HTTP URLs. Jabber/XMPP clients SHOULD handle such addresses in accordance with best practices for the relevant non-XMPP technology.

Every human user of Jabber/XMPP technologies presumably has a preferred language (or, in some cases, a small set of preferred languages), which an XMPP application SHOULD gather either explicitly from the user or implicitly via the user's operating system. Furthermore, every language has a range of characters normally used to represent that language in textual form. Therefore, an XMPP application SHOULD warn the user when presenting a JID that uses characters outside the normal range of the user's preferred language(s). This recommendation is not intended to discourage communication across language communities; instead, it simply recognizes the existence of such language communities and encourages due caution when presenting unfamiliar character sets to human users.

 - +

As explained in &petnames;, no one naming or address scheme can provide names that are simultaneously global, memorable, and unique. However, certain combinations of names and addresses can provide all three properties, and such combinations are commonly called "petname systems". Consider the following combination of names:

    -

  1. The JID "stpeter@jabber.org" is globally unique on the Jabber network, but it is not necessarily memorable.

    2. +

  2. The JID "stpeter@jabber.org" is globally unique on the Jabber/XMPP network, but it is not necessarily memorable.

  3. The nickname "psa" (asserted by the user associated with the address "stpeter@jabber.org") is globally memorable but not necessarily unique; see &xep0172; for more information about user-asserted nicknames.

    4. -

  4. The handle or petname For consistency with other XMPP specifications, wee use the term "alias" rather than "petname". "that JSF dude" (assigned by a contact who adds "stpeter@jabber.org" to her contact list) is privately memorable and unique If not shared or leaked, it may even be securely unique. but is by no means global since it has meaning only to the person who assigns it; for consistency with XEP-0172 we refer to this as a "handle".

    5. +

  5. The handle or petname For consistency with other XMPP specifications, we use the term "handle" rather than "petname"; in RFC 3921 this was referred to as an "alias" but in rfc3921bis the term has been changed to "handle". "that protocol dude" (assigned by a contact who adds "stpeter@jabber.org" to her contact list) is privately memorable and unique If not shared or leaked, it may even be securely unique. but is by no means global since it has meaning only to the person who assigns it; for consistency with XEP-0172 we refer to this as a "handle".

A client SHOULD require an end user to assign a handle for every contact added to the person's roster, which SHOULD be stored as the value of the <item/> element's 'name' attribute qualified by the 'jabber:iq:roster' namespace (for details regarding roster syntax, refer to &rfc3921;). A client SHOULD then present that handle instead of or in addition to the contact's JID or nickname (e.g., in the user's roster and in chat interfaces). This will help to prevent mimicked addresses from being presented as equivalent to the address that is being mimicked.

 -

Although a Jabber ID can be considered globally unique, the petname system in which it is embedded can be strengthened by associating that JID with a key or certificate that can be used for signing and encryption (such as a PGP key or X.509 certificate), preferably a key or certificate that encapsulates the associated XMPP address (e.g., as described in Section 5.1.1 of RFC 3920). A client SHOULD associate a key or certificate with the user of that client, and SHOULD generate such a key or certificate if the user does not have one.

-

Unfortunately, cryptographic identities such as keys, certificates, and fingerprints are even less memorable than JIDs, which makes assigning a handle even more important. Therefore, if a contact provides such a cryptographic identity, a client MUST reliably associate it with the contact in a user's roster (including, as mentioned, an alias for each contact) in order to further strengthen the petname system.

+

Although a Jabber ID can be considered globally unique, the petname system in which it is embedded can be strengthened by associating that JID with a key that can be used for signing and encryption (such as an OpenPGP key, X.509 certificate, or RSA key), preferably a key that encapsulates the associated XMPP address (e.g., as described in Section 5.1.1 of RFC 3920). A client SHOULD associate a key with the user of that client, and SHOULD generate such a key if the user does not have one.

+

Unfortunately, cryptographic identities such as keys, certificates, and fingerprints are even less memorable than JIDs, which makes assigning a handle even more important. Therefore, if a contact provides such a cryptographic identity, a client MUST reliably associate it with the contact in a user's roster (including, as mentioned, a handle for each contact) in order to further strengthen the petname system.

In order to strengthen the web of interaction and trust between Jabber/XMPP users, it is helpful for them to share roster items. In particular, when a user wants to subscribe to the presence of a potential contact, the user SHOULD seek a referral from a third person who knows both the user and the contact. Such a referral consists of a roster item sent from the third person to the potential contact, encapsulated using the &xep0144; protocol:

@@ -96,40 +102,54 @@ ]]>

Here, the 'name' attribute encapsulates what in petname systems is known as an "alleged name", that is, the name for an entity proposed by a third party.

-

Such a referral SHOULD also include the user's nick as understood by the third person (encapsulated in the format defined in &xep0172;) and fingerprint of the user as understood by the third person (encapsulated in the format defined in the proposal available at <http://www.jabber.org/jeps/inbox/fingerprint.html>:

- Such a referral SHOULD also include the user's nick as understood by the third person (encapsulated in the format defined in &xep0172;) and fingerprint of the user as understood by the third person (encapsulated in the format defined in &xep0189;:

+ psa - - C3 88 33 27 F3 47 3B 8B 07 71 3E 96 44 A7 EE E2 E0 50 4A 5B - + + + stpeterRSAkey1 + ... + + + stpeterX509cert1 + ... + + ]]> -

The third person MUST NOT simply copy the fingerprint as communicated by the contact but instead MUST validate the fingerprint against the public key or certificate of the contact.

+

The third person MUST NOT simply copy the key as communicated by the contact but instead MUST validate it against the public key of the contact.

 -

We have seen that, at a minimum, three names or address types are needed to provide a petname system for XMPP: a JID, a nickname, and a handle (preferably strengthened by inclusion of a fingerprint derived from a key or certificate). However, at present a subscription request contains only the JID of the sender:

+

We have seen that, at a minimum, three names or address types are needed to provide a petname system for XMPP: a JID, a nickname, and a handle (preferably strengthened by inclusion of a fingerprint derived from a key). However, at present a subscription request contains only the JID of the sender:

]]> -

Naturally, based on the JID, it is possible to pull information about the sender from a persistent data store such as an LDAP database, &xep0054; node, or future profile system. However, to speed interactions, this document recommends that when a client sends a subscription request, it SHOULD include the preferred nickname of the sender (encapsulated via the format specified in XEP-0172) and the fingerprint of the sender's certificate or key.

- Naturally, based on the JID, it is possible to pull information about the sender from a persistent data store such as an LDAP database, &xep0054; node, or future profile system. However, to speed interactions, this document recommends that when a client sends a subscription request, it SHOULD include the preferred nickname of the sender (encapsulated via the format specified in XEP-0172) and the sender's key or keys.

+ psa - - C3 88 33 27 F3 47 3B 8B 07 71 3E 96 44 A7 EE E2 E0 50 4A 5B - + + + stpeterRSAkey1 + ... + + + stpeterX509cert1 + ... + + ]]> -

If one or more referrals have been received, the user or client MUST check the fingerprint provided in the subscription request against the fingerprint provided in the referral or referrals.

+

If one or more referrals have been received, the user or client MUST check the key or keys provided in the subscription request against the key or keys provided in the referral or referrals.

 -

In order for a user-assigned alias to strengthen the security of the petname system, it MUST NOT be shared with anyone other than the user who assigned it. The user SHOULD NOT assign as an alias the alleded name received in a referral.

+

In order for a user-assigned handle to strengthen the security of the petname system, it MUST NOT be shared with anyone other than the user who assigned it. The user SHOULD NOT assign as a handle the alleded name received in a referral.

A user SHOULD NOT place more trust a referral than he or she places in the person who sends it.