[JDEV] servers specifying from fields

Mathew A Johnston johnston at megaepic.com
Thu Mar 1 18:56:22 CST 2001 

Why not just use standard message signing? That would ensure the identity
of the sender to the receiver, and require no server side support. Is this
not better? Do you think that encapsulating encrypted jabber messages in
other jabber messages is a valid idea? I think that this is required if
extentions are to be able to communicate securely. Read my proposal? :)

Mathew Johnston


On Thu, 1 Mar 2001, David Waite wrote:

> The server will remove any specified 'from' attribute to prevent a user
> falsifying their address,
> any other server will not allow a server to send a falsified 'from' address
> (the purpose of dialback - I believe any from attribute which does not have
> the exact servername will cause the receiving server to close the
> connection).
> 
> I can set up a server and turn off the from replacing logic, and then I can
> spoof any address I want on my own server, which still gives plenty of
> accountability if I'm trying to spam people or anything else malicious
> (evident server DNS name, IP  in server logs)
> 
> -David Waite
> 
> Mathew A Johnston wrote:
> 
> > With regards to my last message:
> >
> > I've been told that the from field on messages is set by the server
> > which the client used to send the message and that this was done to help
> > prevent users from forging from addresses. It is my opinion that this
> > should never be done by the server, as it hardly reduces the chances of
> > forged messages (any user can run their own server). It also greatly
> > complicates the proposal that I just put forward about encrypting whole
> > messages to have them parsed after decryption by the receiving client. If
> > an encrypted <message> tag passes by the server, the server can not add
> > the from attribute, and if the user was not allowed to supply their own
> > from attribute, there wont be a from attribute on the received message.
> > A HACK around this would be for the decrypting client to assume the same
> > from attribute as was attatched to the encapsulating message.
> >
> > If you want to assure the integrety and source of a message, use the
> > message signing facilities provided by the jabber:x:signed namespace.
> >
> > Mathew Johnston
> >
> > _______________________________________________
> > jdev mailing list
> > jdev at jabber.org
> > http://mailman.jabber.org/listinfo/jdev
> 
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>

More information about the JDev mailing list