[standards-jig] Version 0.5 of JEP-0045

Peter Saint-Andre stpeter at jabber.org
Tue Sep 24 04:55:25 UTC 2002


On Mon, 23 Sep 2002, David Sutton wrote:

> A room groupchat message takes the form:
> 
> <message from='jdev at conference.jabber.org/sender'
> to='receiver at jabber.org' type='groupchat'><body>test</body></message>

Actually there is a resource on the 'to' address, no? We need to
differentiate between what the sending client sends and what the receiving
client receives.

The sender sends:

<message to='jdev at conference.jabber.org'
type='groupchat'><body>test</body></message>

The receiver receives:

<message from='jdev at conference.jabber.org/sender'
to='receiver at jabber.org/resource' 
type='groupchat'><body>test</body></message>

> If I send a message through the conference server to a user, and set the
> type to be groupchat, then the client receives exactly the same message.
> You just don't know if it was announced to the room, or whether it was
> directed. This could make unsuspected people to start making comments in
> response to messages they believed everyone in the room also saw. The
> sender just turns around and says that they never sent anything, and the
> room logs would prove that point. 
> 
> Its an exploit in the sense of social engineering. Its easily stopped by
> rejecting any messages received with type 'groupchat' and a resource in
> the 'to' field.

So the conferencing component would stop such messages when they are
received by the component from the sender, right? I'd be fine with that.
Would the messages be discarded or would they result in an error? I think
discarding them is good enough.

/stpeter




More information about the Standards mailing list