<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2654.45"> <TITLE>RE: [JDEV] Re: OOB filetransfer negotiation</TITLE> </HEAD> <BODY> The jabber:iq:oob packets can be used along with the mini-HTTP server to ensure that only the intended person downloads the file, even if someone is sniffing the Jabber messages. Here is the sequence of events that we use when client A wants to send client B a file.  1. Client A starts up its mini-web server, generates a unique URI for that file and sends a jabber:iq:oob packet through the Jabber server, with the URL for that file. 2. Client B reads the jabber:iq:oob packet and tries to connect to that URL. 3. Client A's HTTP server gets the new connection and request for that URI and sends its HTTP headers back to client B.  After sending the headers, the HTTP server waits for a response to the original iq before sending the file.  It waits to make sure that it is client B that is trying to download that file. 4. Client B reads the HTTP headers and sends a jabber:iq:oob with a type='result' attribute packet back through the jabber server. This tells client A that it has successfully connected and successfully requested the file from the web server. 5. Client A reads the iq result packet from the jabber server and proceeds with sending the file through the HTTP server. 6. Client A shuts down its mini-web server if no more file transfers are pending. If for some reason client B cannot connect to client A's HTTP server, or if client B decides it doesn't want to download the file, then client B sends an error as the response to the iq and A rejects any downloading from that URI. As far as I know, this is the correct way to send files in Jabber and ensure that the files go to the right person. There was a good discussion jabber:iq:oob about it in November, look for the jabber:iq:oob thread. <A HREF="http://mailman.jabber.org/pipermail/jdev/2000-November/thread.html" TARGET="_blank">http://mailman.jabber.org/pipermail/jdev/2000-November/thread.html</A> -Robert > -----Original Message----- > From: Jens Alfke [<A HREF="mailto:jens@mac.com">mailto:jens@mac.com</A>] > Sent: Tuesday, August 14, 2001 9:24 AM > To: jdev@jabber.org > Subject: [JDEV] Re: OOB filetransfer negotiation > > > > On Monday, August 13, 2001, at 05:05 PM, Julie wrote: > > >   From my understanding of the descriptions of the two iq > tags, they > > are used only > > to send the URL to the client.  The client then goes to the URL to > > retrieve the > > file.  Am I right?  Is there anyway to do a direct client-to-client > > file transfer? > > Yes — run a tiny HTTP server on the sending client that can > deliver the > file to the recipient. Then the sender just creates a URL > with its own > IP address as the host. In my client I use a random port > number and also > make up a random 64-bit number to put in the URL before the > name of the > file, just to make it harder for a 3rd party to find the file (unless > they intercept the Jabber message, in which case all bets are > off.) So > the URL I send would look like: >       > <A HREF="http://my.ip.address:randomportnumber/sixteenrandomhexdigits/n" TARGET="_blank">http://my.ip.address:randomportnumber/sixteenrandomhexdigits/n</A> > ameoffile > However, this only works if the receiver can make an HTTP > connection to > the sender, i.e. the sender is not behind a firewall or NAT. > > --Jens > > _______________________________________________ > jdev mailing list > jdev@jabber.org > <A HREF="http://mailman.jabber.org/listinfo/jdev" TARGET="_blank">http://mailman.jabber.org/listinfo/jdev</A> > </BODY> </HTML>