[Standards] pubsub whitelists
stpeter at stpeter.im
Thu Aug 23 16:13:28 UTC 2007
Fabio Forno wrote:
> Peter Saint-Andre wrote:
>> Peter Millard originally thought of a pubsub whitelist as the list of
>> entities that are subscribed to a node. However, as Joe Hildebrand and
>> Matt Yacobucci just pointed out to me, that introduces a security hole
>> quite similar to <presence type='subscribed'/> -- that is, the node
>> owner can now add you to the subscriber list without your permission
>> (introducing all sorts of wonderful spam possibilities). Joe and Matt
>> pointed out that the whitelist is more properly a list of entities that
>> are allowed to subscribe (or retrieve items) if they want to, not as the
>> list of subscribers. This could be managed via node configuration (e.g.,
>> a "pubsub#whitelist" node configuration option of type jid-multi). It
>> seems important to fix this before we publish version 1.10 of XEP-0060
>> so I will work on that here soon.
> Not sure about the real danger of this issue. If entity A wants to spam
> entity B, entity A can directly a message to B, so why pass through
> pubsub? The only reason I can image is that B has already blocked A and
> A is finding a new way to reach B, but if A is abusing of the the pubsub
> service it can be easily banned.
There are always rogue publishers (or pubsub services) with one node for
viagra spam, another node for cialis spam, etc. :)
> Instead eliminating this option implies that it becomes impossible to
> centrally manage the list of subscribers forcing clients to do this (in
> the near future I see many clients able of handling the pubsub <event/>
> but not all the browse/subscribe stuff).
The owner can already manage subscriptions:
What Joe and Matt pointed out is that the whitelist is a list of people
who are *allowed* to subscribe (or retrieve items), not a list of people
who *are* subscribed.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards