[Standards] XEP-0357 Privacy Issues

Chris Ballinger chris at chatsecure.org
Thu Jun 2 20:49:46 UTC 2016


Historically users of XMPP clients did not communicate with external
servers run by the app developer, by having plaintext passed from their own
server to the app developer. Although the 357 specification is great
because it allows arbitrary clients to receive pushes from any supported
server, it does not mention the potential privacy issues
with last-message-sender and last-message-body being sent to the app
developer.

I noticed that mod_push (ejabberd) defaults to not sending these, but
mod_cloud_notify (prosody) currently defaults to true. I think it would be
good to mention in the XEP the potential issues for centralized information
leakage and suggest to default these values to false in server modules.

Ideally I'd want to reject last-message sender and body on my pubsub node
and inform the sending server not to include these, but that would
definitely make things too complicated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20160602/15a39490/attachment.html>


More information about the Standards mailing list