XEP-Remarks/XEP-0070: Verifying HTTP Requests via XMPP

Revision as of 21:28, 16 April 2020 by Pep. (talk | contribs) (Backport standards thread)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

SPOF, DoS, and privacy concerns

As pointed out in the following thread: here

  • The way the XEP is written (as of 1.0.1), it means that web services using 0070 have to use one (or multiple) static endpoint that act as "Single" Point Of Failure.
  • While having a SPOF might be fine in some cases, that single endpoint also now acts as the identity provider for the whole XMPP network as seen from the web service, allowing it to:
    • refuse even legit users on (other) servers,
    • being able to see the activity of anybody authenticating against the web service, (that is, only when authenticating).

This might be alleviated by the fact that the XEP was probably meant to have the HTTP/XMPP component run alongside the webservice, and not provided by other XMPP services, as corrected here. Nonetheless adoption might be easier if XMPP services provide such interfaces.