mirror of
https://github.com/moparisthebest/xeps
synced 2024-11-21 16:55:07 -05:00
XEP-0115: mention the pre-image attacks in the XEP
Signed-off-by: Sam Whited <sam@samwhited.com>
This commit is contained in:
parent
1b82bab65c
commit
e0c7d71c69
@ -602,7 +602,7 @@
|
||||
<warning;
|
||||
</section2>
|
||||
<section2 topic='Caps Poisoning' anchor='security-poisoning'>
|
||||
<p>Adherence to the method defined in the <link url='#ver'>Verification String</link> section of this document for both generation and processing of the 'ver' attribute helps to guard against poisoning of entity capabilities information by malicious or improperly implemented entities.</p>
|
||||
<p>Adherence to the method defined in the <link url='#ver'>Verification String</link> section of this document for processing of the 'ver' attribute is known to be vulnerable to certain cache poisoning attacks that can not be fixed in a backwards compatible manner <note><link url="https://mail.jabber.org/pipermail/security/2009-July/000812.html">[Security] Trivial preimage attack against the entity capabilities protocol</link>.</note>.</p>
|
||||
<p>If the value of the 'ver' attribute is a verification string as defined herein (i.e., if the 'ver' attribute is not generated according to the <link url='#legacy'>Legacy Format</link>), inclusion of the 'hash' attribute is REQUIRED. Knowing explicitly that the value of the 'ver' attribute is a verification string enables the recipient to avoid spurious notification of invalid or poisoned hashes.</p>
|
||||
</section2>
|
||||
<section2 topic='Information Exposure' anchor='security-exposure'>
|
||||
|
Loading…
Reference in New Issue
Block a user