[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [JDEV] anonymous users



My take on this is, it's going to happen.  No matter what you do to
prevent it, unless you use some sort of encryption/public key system,
there will always be a way to crack it and send anonymous messages or fake
other users.  So if it's going to happen anyway, lets just build that part
in so they don't _have_ to crack it :)  Make anonymous users a "feature"
and not a hole... say anyone browsing a web site can use an HTML form and
send messages to the sites owner via Jabber, these would be "anonymous"
and it would be a feature.

What I'd like to see is something set up as discussed earlier, a PGP type
of system built into the clients to either encrypt messages or simply
provide fingerprints to prove it was really the sender.  This is a very
email-like way to go, if you want security, use a secure client...
otherwise, making Jabber, the server and protocol, secure in any way w/o
that encryption is essentially impossible or will be very limiting in the
functionality and adaptability of the system.

What is also good to keep in mind, is that Jabber is designed to connect
to other systems, and for the most part, there will be no feasable way to
guarantee the security of messages incoming from those other systems.

Also, it would probably be in a clients best interest to highlight or warn
about anonymous messages.

Jer

On Tue, 12 Jan 1999, Dylan Adams wrote:

> >From Client Guidelines:
> > - socket connection to server on port 5222
> >          - send message
> >          - recieve message
> >
> >         The client does nothing other than connect and send a message. 
> >The server will create an
> >         anonymous user (anonymous@server.com) with the nickname of the IP 
> >address the client is
> >         running on. If someone recieves the message, a reply specifically 
> >to the same id and nickname will
> >         be delivered back to the client. 
> >
> >         If the client first sends a login packet that only contains the 
> >nickname tags than that nickname will
> >         be used instead, but it will still be an anonymous connection. 
> Am I the only one who thinks anonymous users aren't a good idea?
> 
> Anonymous users make it too easy to do evil things. Flooding, spamming, 
> bombing. Just about every bad 'ing in the book.
> 
> Dylan Adams
>