[JDEV] Proposal for filters on incomming messages

Anders Qvist quest at netg.se
Wed Aug 11 16:18:05 CDT 1999

On Wed, 11 Aug 1999, Thomas D. Charron wrote:

> On Wed, 11 Aug 1999 11:59:20   Anders Qvist wrote:
> >The problem is, we don't want people to be able to send messages that
> >trick their way past filters by saying: 'I'm a rejection reply' or 'I'm an
> >error message.' Thus, we need Jabbertransport to protect us from this
> >somehow. Any thoughts? (I feel I will be writing a new mail on the subject
> >of verification and auditability shortly so you may want to save your
> >replies for that ;)
>   Hrm..  A rejection reply would need to be an error message, that's a
> gimme.  But the from would be from a system.  The ONLY way one could
> hack this is to hack a transport, as the transport that accepts messages
> from a client would reject messages from a client not 'from' that
> connection..

I can create my own server and have it send a rejection reply to a
client on another server. This means either jabbertransport or client
(preferably the earlier if you ask me) needs to know what messages it has
sent in order to tell that a rejection reply (or indeed any reply) is
authentic. A rather tedious job.

Things could be simplified a little by fitting all messages with a one-way
encryption of some secret that is rotated once every week or so. This
would mean we only need to keep track of a small pile of secrets, rather
than the MD5 checksum or ID of all messages ever sent.

... or am I missing some obvious solution/information?

Anders "Quest" Qvist
NetGuide Scandinavia

-- Why suffer scarcity? Look for the Open Source and enter a world of plenty!

More information about the JDev mailing list