R: R: R: [jdev] about spim techniques

Tijl Houtbeckers thoutbeckers at splendo.com
Sat Aug 27 17:31:18 CDT 2005 

On Sat, 27 Aug 2005 23:01:15 +0200, Sander Devrieze  
<s.devrieze at pandora.be> wrote:

Hi Sander, I admit to not reading carefully enough that what you were  
saying was actually in the context of the ideas you were suggesting.

> Op zaterdag 27 augustus 2005 21:13, schreef Tijl Houtbeckers:
>
> What I am telling is that we also need a new component especially to  
> protect
> against spim. Dialback solves spoofing, something else (what also can  
> help
> against spimmers). So before an incomming connection is allowed by a  
> server:
> * Dialback should be used to verify the domain.
> * It should be verified (read also my other mails in this thread) that  
> the
> server has a good certificate issued by a non-blocked authority.

Well, so what are you suggesting is a "whitelist" of certificate issuers  
(simuliar to the root CAs). What would be the criteria for a "jabber CA"  
to be on the whitelist? Will it be their responsibility to combat the spim  
or will that be the responsibility of those they issue it to?

If you choose the first, what will happen if a CA gets blacklisted? All  
their certificates become invalid? (in other words it becomes pretty  
pointless,it's just moving the problem up one level).
If you go for the second, why not use existing certificates rather than  
introducing a new top level? Existing ones cost money (verisign, etc.)  
and/or effort (CAcert). You can even self sign and have others accept it  
(that's effort too).

The point is, if you're just gonna introduce accountability there is no  
point as long as our XMPP network itself has such low standards of anti  
spim measures and spim related techology (eg. spim detection: I seriously  
doubt any automated spam detection will work very well on spim). What  
Google does is acountability at the user level (for Google Talk). And in  
the case of email, they use technology (spam filtering). That doesn't mean  
we can't do the same for Jabber *servers*, however in practise I think  
that will lead to a "federation" model where handpicked servers are  
whitelisted, either at the individual level or in some orginazation. Not a  
truly open model.

So how could we make a truly open model? One possibility (as seen on this  
list) are the developing trust relationships, and "sharing" these in a  
FOAF like manner, or more effective spam fighting (cross server  
blacklisting for example, like often done with email).

A less touched approach is taking the accountability to the user level, in  
a cross server fashion. I wouldn't like having to have an "account" of  
some sort (or another form of proving I'm a human and that I will behave  
on their server) on every server that I would have a friend on so I can do  
S2S, but it's better than no open model at all. And there's plenty of  
things we could do to make this a little easier (eg if I have a mutual  
subscription request pending with a person on the other server, it could  
automatically whitelist me at least for that person (and it could be seen  
as a larger sign of trust perhaps)). Or a mechanism for seeing if there is  
already a trust relationship between me and the user I want to talk to,  
completly transparant to the users (so spimmers can't abuse it). And of  
couse servers can still "federate" if they want, and maybe if one server  
in a "federation" trusts me (as user) all the others can too.

In short, I think introducing accountability for servera (by certificates  
or another method) is overrated as a solution for combatting spim (or  
spam). All it does is take the problem one level up (to servers) from  
where it really comes (users), which seems fine till the spimmers come in  
and suddenly a whole server gets blacklisted (and you see the problem also  
propagates to the next level). Same when you take it yet another level  
higher (whitelisting CAs).

The only real solution for a truly open network, where in reality you'll  
have "good" servers and "bad" servers (signed or not!) is combatting spim  
itself, by making sure it doesn't get send, and that when it does the user  
doesn't see it. There's nothing wrong with letting the servers take part  
of the work in doing that (that's the Jabber way after all) but since the  
problem is at the user level ultimatly I think part of it will have to be  
solved there. If you do it right "well behaving" users on decent secure  
"trusted" servers will have little hassle, and servers/users with a worse  
or more unknown reputation would have to go through more trouble. If you  
start excluding them, how can you still call it an open network?

More information about the JDev mailing list