[standards-jig] Version 0.5 of JEP-0045

Richard Dobson richard at dobson-i.net
Tue Sep 24 09:04:35 UTC 2002


Ah I get the point now,

So the sender sends:

<message to='jdev at conference.jabber.org/receiver'
type='groupchat'><body>test</body></message>

The receiver receives:

<message from='jdev at conference.jabber.org/sender'
to='receiver at jabber.org/resource'
type='groupchat'><body>test</body></message>

Which seems to be from the room so the groupchat component when bouncing the
message should either

1) send back an error:

<message from='jdev at conference.jabber.org/receiver'
to='sender at jabber.org/resource' type='error'>
    <body>test</body>
    <error code='400'>Bad request</error>
</message>

Problem with the error is that unless the sender specifies an id the
sender/client will not know necessarily what action it relates to.

2) Or interpret it as a message to the room and just send it to all
participants instead of just the one.

3) Change it to type "chat" on the way through.

4) Ignore the message.

Richard

----- Original Message -----
>From: "Peter Saint-Andre" <stpeter at jabber.org>
To: <standards-jig at jabber.org>
Sent: Tuesday, September 24, 2002 5:55 AM
Subject: Re: [standards-jig] Version 0.5 of JEP-0045


> On Mon, 23 Sep 2002, David Sutton wrote:
>
> > A room groupchat message takes the form:
> >
> > <message from='jdev at conference.jabber.org/sender'
> > to='receiver at jabber.org' type='groupchat'><body>test</body></message>
>
> Actually there is a resource on the 'to' address, no? We need to
> differentiate between what the sending client sends and what the receiving
> client receives.
>
> The sender sends:
>
> <message to='jdev at conference.jabber.org'
> type='groupchat'><body>test</body></message>
>
> The receiver receives:
>
> <message from='jdev at conference.jabber.org/sender'
> to='receiver at jabber.org/resource'
> type='groupchat'><body>test</body></message>
>
> > If I send a message through the conference server to a user, and set the
> > type to be groupchat, then the client receives exactly the same message.
> > You just don't know if it was announced to the room, or whether it was
> > directed. This could make unsuspected people to start making comments in
> > response to messages they believed everyone in the room also saw. The
> > sender just turns around and says that they never sent anything, and the
> > room logs would prove that point.
> >
> > Its an exploit in the sense of social engineering. Its easily stopped by
> > rejecting any messages received with type 'groupchat' and a resource in
> > the 'to' field.
>
> So the conferencing component would stop such messages when they are
> received by the component from the sender, right? I'd be fine with that.
> Would the messages be discarded or would they result in an error? I think
> discarding them is good enough.
>
> /stpeter
>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
>




More information about the Standards mailing list