[Standards] Secure Attribution of Mediated MUC Invitations

Georg Lukas georg at op-co.de
Tue Jan 24 13:15:18 UTC 2017


Hello,

TL;DR: for implementing Easy Group Chats[0], it would be great to have a
secure way to automatically follow invitations from trusted users. While
MIX does it right, the situation with MUC isn't as nice and clear. To
slightly improve, I would like to mandate MUC mediated invitations to
contain the inviter's full JID.

While studying XEP-0045, I've stumbled upon this gem in the "Mediated
Invitations" section [1]:

| The <room at service> itself MUST then add a 'from' address to the
| <invite/> element whose value is the bare JID, full JID, or occupant JID
| of the inviter [...]

From a security perspective, all three have their shortcomings (which
reflect different trade-offs):

- bare JID / full JID: expose the sender's JID to the receiver, possibly
  violating a (semi)anonymous room's privacy expectations.

- occupant JID: makes it impossible to verify the sender.

As part of Easy Group Chats, a client SHOULD follow an invitation to an
ad-hoc MUC from a trusted sender (i.e. roster member). In the former
case (full/bare JID), the sender's JID is forwarded by the MUC. However,
as the MUC is outside of the user's security domain, a malicious MUC
could fake the 'from' address, setting it to at least the bare JID of a
known contact of the victim, and make a client auto-join an untrusted
MUC.

In the latter case (occupant JID), the invited client has no way to
verify the identity of the inviter, thus being unable to follow the
invitation automatically.

In either case, there is no way for a client to specify which JID to add
into the mediated invitation, and direct invitations (XEP-0249) don't
create the affiliation required in a private MUC.


Are there any real-world use cases (or implementations) that use bare
JID or occupant JID in mediated invitations? If no, I would like to
mandate in XEP-0045 that the full JID has to be used, thus allowing the
invitee to verify the sender (see if they have a presence from the
claimed JID), and to auto-join in a secure fashion.



Georg

[0] https://wiki.xmpp.org/web/Easy_Group_Chats
[1] http://xmpp.org/extensions/xep-0045.html#invite-mediated
-- 
|| http://op-co.de ++  GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N  ++
|| gpg: 0x962FD2DE ||  o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+  ||
|| Ge0rG: euIRCnet ||  X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y?   ||
++ IRCnet OFTC OPN ||_________________________________________________||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20170124/16270448/attachment.sig>


More information about the Standards mailing list