OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

mqtt message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Connect with existing ID


I never before noticed this line in the input spec:

If a client with the same Client ID is already connected to the server, the "older" client must be disconnected by the server before completing the CONNECT flow of the new client.

It corresponds to this in the WD:

If the ClientId represents a client already connected to the server then the server MUST disconnect the existing client.

Isn't this a bit of a security hole? If I can guess a ClientID I can disconnect it. If there is anyone using the clientId as a topic for replies and relying on clientId for security (e.g. in Mosquitto's ACL %c to match the client id of the client), then this is also a security hole. 

Can anyone comment?


Paul


--
Paul Fremantle
CTO and Co-Founder, WSO2
OASIS WS-RX TC Co-chair, Apache Member

UK: +44 207 096 0336
US: +1 646 595 7614

blog: http://pzf.fremantle.org
twitter.com/pzfreo
paul@wso2.com

wso2.com Lean Enterprise Middleware

Disclaimer: This communication may contain privileged or other confidential information and is intended exclusively for the addressee/s. If you are not the intended recipient/s, or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received and in addition, you should not print, copy, retransmit, disseminate, or otherwise use the information contained in this communication. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]