[standards-jig] Version 0.5 of JEP-0045

David Sutton jabber at dsutton.legend.uk.com
Tue Sep 24 06:15:48 UTC 2002


On Mon, Sep 23, 2002 at 11:55:25PM -0500, Peter Saint-Andre wrote:
> On Mon, 23 Sep 2002, David Sutton wrote:
> 
> > A room groupchat message takes the form:
> > 
> > <message from='jdev at conference.jabber.org/sender'
> > to='receiver at jabber.org' type='groupchat'><body>test</body></message>
> 
> Actually there is a resource on the 'to' address, no? We need to
> differentiate between what the sending client sends and what the receiving
> client receives.
> 
> The sender sends:
> 
> <message to='jdev at conference.jabber.org'
> type='groupchat'><body>test</body></message>
> 
> The receiver receives:
> 
> <message from='jdev at conference.jabber.org/sender'
> to='receiver at jabber.org/resource' 
> type='groupchat'><body>test</body></message>
>
True, a resource was missing. In essence, its what the receiver receives
which is the key to the discussion, but the clarification helps. Thanks.
>
> > If I send a message through the conference server to a user, and set the
> > type to be groupchat, then the client receives exactly the same message.
> > You just don't know if it was announced to the room, or whether it was
> > directed. This could make unsuspected people to start making comments in
> > response to messages they believed everyone in the room also saw. The
> > sender just turns around and says that they never sent anything, and the
> > room logs would prove that point. 
> > 
> > Its an exploit in the sense of social engineering. Its easily stopped by
> > rejecting any messages received with type 'groupchat' and a resource in
> > the 'to' field.
> 
> So the conferencing component would stop such messages when they are
> received by the component from the sender, right? I'd be fine with that.
> Would the messages be discarded or would they result in an error? I think
> discarding them is good enough.
> 
Personally, i'd go for error because just dropping could be misconceived
as packet loss, whereas we want the sender to know we are aware of their
actions. 400, Bad Request for instance.
>
> /stpeter
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig

Regards,

  David
-- 
David Sutton
Email: dsutton at legend.co.uk
Jabber: peregrine at legend.net.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20020924/86ca2a84/attachment.sig>


More information about the Standards mailing list