Kevin P. Fleming wrote: > > 'alwaysauthreject' in not imcompliant with any RFCs; the RFCs define > response codes that *can* be used to indicate (for example) that the > Request URI does not represent a target known to the receiver (404 Not > Found), but does not mandate that the server respond with that code in > that situation.
Kevin, Thanks for the correction and I apologize if I'm propagating a misconception. Am I misunderstanding this Asterisk Security Advisory? http://lists.digium.com/pipermail/asterisk-announce/2009-April/000177.html In 2006, the Asterisk maintainers made it more difficult to scan for valid SIP usernames by implementing an option called "alwaysauthreject"... ...What we have done is to carefully emulate exactly the same responses throughout possible dialogs, which should prevent attackers from gleaning this information. All invalid users, if this option is turned on, will receive the same response throughout the dialog, as if a username was valid, but the password was incorrect. It is important to note several things. First, this vulnerability is derived directly from the SIP specification, and it is a technical violation of RFC 3261 (and subsequent RFCs, as of this date), for us to return these responses... I am asking out of genuine curiosity, because I trust your assessment more than my interpretation of the advisory. Thank you, Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
