[jdev] spoofing "from" attributes
Fabio Forno
fabio.forno at polito.it
Tue Feb 22 05:00:23 CST 2005
Richard Dobson wrote:
> A remote server cannot tell the difference between a component and a
> client, and I would disbute your statement that its ok for components to
> be able to spoof messages, it certainly is not.
>
I was seeing the problem from the admin side: I can trust my components
but not my clients and therefore the check should be enforced only for
clients.
>> administrators, and if a spammer runs its own server, he or she could
>> send any kined messages...).
>
>
> No they cant, even if a spammer controls their own server they cannot
> spoof messages, it is designed into the protocol to prevent that.
Why? I don'get this. If I write my s2s component sending messages from
anyuser at myserver, who can block me? AFAIK, from the outside nobody can
detect that those are fake users.
Getting back to the original problem. Thus if a want to be able to have
a webservice enabling users to send message with rpc-like calls, the
only solution with the present server is to keep a connection open for
any possible user of this server. Am I right?
(I'd like to avoid to authenticate each time a message is sent)
--
Fabio Forno, Ph.D. - Research Assistant
Politecnico di Torino - Dip. Automatica e Informatica
C.so Duca degli Abruzzi 24 - 10129 Torino (Italy)
Phone: +39 011 2276 102 - JabberId: sciasbat at jabber.linux.it
More information about the JDev
mailing list