[standards-jig] Version 0.5 of JEP-0045

David Sutton jabber at dsutton.legend.uk.com
Mon Sep 23 22:41:37 CDT 2002


The problem is that its not as simple as that.

A room groupchat message takes the form:

<message from='jdev at conference.jabber.org/sender'
to='receiver at jabber.org' type='groupchat'><body>test</body></message>

If I send a message through the conference server to a user, and set the
type to be groupchat, then the client receives exactly the same message.
You just don't know if it was announced to the room, or whether it was
directed. This could make unsuspected people to start making comments in
response to messages they believed everyone in the room also saw. The
sender just turns around and says that they never sent anything, and the
room logs would prove that point. 

Its an exploit in the sense of social engineering. Its easily stopped by
rejecting any messages received with type 'groupchat' and a resource in
the 'to' field. A message of type 'chat' directed only at the room would
simply be interpreted as a private message to each room member. This
would be fine.

Regards,

  David

On Tue, Sep 24, 2002 at 12:28:44AM +0100, Richard Dobson wrote:
> >However, is this really necessary?
> >
> >What are the potentially dangerous or confusing scenarios y'all have in
> >mind here? I could open an XML debug window or use telnet to send you a
> >message of type="groupchat" and your client might treat that as a 
> >reason
> >to launch a groupchat interface rather than a regular old chat 
> >interface.
> >Anything else?
> 
> I expect that is the possible problem people are thinking of but isn't 
> that really a case of a client mishandling a packet (i.e. a bug) and no 
> problem with the protocol, so its up to the client developers in 
> question to fix their software, so I dont think there is any need for 
> it.
> 
> Richard
> 
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig

-- 
David Sutton
Email: dsutton at legend.co.uk
Jabber: peregrine at legend.net.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/standards/attachments/20020923/15b67d56/attachment.pgp


More information about the Standards-JIG mailing list