[standards-jig] Version 0.5 of JEP-0045

Peter Saint-Andre stpeter at jabber.org
Tue Sep 24 13:37:35 UTC 2002


On reflection, I think option #3 makes the most sense, but I admit that
we're attempting to interpret the intentions of the sender (or the
sender's client).

Peter

--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.html

On Tue, 24 Sep 2002, Richard Dobson wrote:

> Ah I get the point now,
> 
> So the sender sends:
> 
> <message to='jdev at conference.jabber.org/receiver'
> type='groupchat'><body>test</body></message>
> 
> The receiver receives:
> 
> <message from='jdev at conference.jabber.org/sender'
> to='receiver at jabber.org/resource'
> type='groupchat'><body>test</body></message>
> 
> Which seems to be from the room so the groupchat component when bouncing the
> message should either
> 
> 1) send back an error:
> 
> <message from='jdev at conference.jabber.org/receiver'
> to='sender at jabber.org/resource' type='error'>
>     <body>test</body>
>     <error code='400'>Bad request</error>
> </message>
> 
> Problem with the error is that unless the sender specifies an id the
> sender/client will not know necessarily what action it relates to.
> 
> 2) Or interpret it as a message to the room and just send it to all
> participants instead of just the one.
> 
> 3) Change it to type "chat" on the way through.
> 
> 4) Ignore the message.
> 
> Richard
> 
> ----- Original Message -----
> From: "Peter Saint-Andre" <stpeter at jabber.org>
> To: <standards-jig at jabber.org>
> Sent: Tuesday, September 24, 2002 5:55 AM
> Subject: Re: [standards-jig] Version 0.5 of JEP-0045
> 
> 
> > On Mon, 23 Sep 2002, David Sutton wrote:
> >
> > > A room groupchat message takes the form:
> > >
> > > <message from='jdev at conference.jabber.org/sender'
> > > to='receiver at jabber.org' type='groupchat'><body>test</body></message>
> >
> > Actually there is a resource on the 'to' address, no? We need to
> > differentiate between what the sending client sends and what the receiving
> > client receives.
> >
> > The sender sends:
> >
> > <message to='jdev at conference.jabber.org'
> > type='groupchat'><body>test</body></message>
> >
> > The receiver receives:
> >
> > <message from='jdev at conference.jabber.org/sender'
> > to='receiver at jabber.org/resource'
> > type='groupchat'><body>test</body></message>
> >
> > > If I send a message through the conference server to a user, and set the
> > > type to be groupchat, then the client receives exactly the same message.
> > > You just don't know if it was announced to the room, or whether it was
> > > directed. This could make unsuspected people to start making comments in
> > > response to messages they believed everyone in the room also saw. The
> > > sender just turns around and says that they never sent anything, and the
> > > room logs would prove that point.
> > >
> > > Its an exploit in the sense of social engineering. Its easily stopped by
> > > rejecting any messages received with type 'groupchat' and a resource in
> > > the 'to' field.
> >
> > So the conferencing component would stop such messages when they are
> > received by the component from the sender, right? I'd be fine with that.
> > Would the messages be discarded or would they result in an error? I think
> > discarding them is good enough.
> >
> > /stpeter
> >
> > _______________________________________________
> > Standards-JIG mailing list
> > Standards-JIG at jabber.org
> > http://mailman.jabber.org/listinfo/standards-jig
> >
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
> 




More information about the Standards mailing list