[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[JDEV] Security (was: anonymous users)



On Tue, Jan 12, 1999 at 10:09:37AM -0600, Jeremie Miller wrote:
> My take on this is, it's going to happen.  No matter what you do to
> prevent it, unless you use some sort of encryption/public key system,
> there will always be a way to crack it and send anonymous messages or fake
> other users.  So if it's going to happen anyway, lets just build that part
> in so they don't _have_ to crack it :)  Make anonymous users a "feature"
> and not a hole... say anyone browsing a web site can use an HTML form and
> send messages to the sites owner via Jabber, these would be "anonymous"
> and it would be a feature.

Anonymous users are a good idea, as long as they are identified as such,
but deciding that we don't need any security apart from client-client
and a simple textual password is a rather limited vision I think.
The framework for building a secure system must be there, even if
many transports are not secure.

For example, we could assign transport security levels, ranging from
fully authenticated and encrypted, through encrypted authentication
but plaintext transmitted, to plaintext authenticated, and
finally unauthenticated.
A server should alter the security level of a message based on the
authentication level and its trust of the transmitting client or server.

This gives the receiver some control over who they receive messages
from, together with some information on how trustworthy a message is.

At the very least I want to make it very hard for people to pretend
to be me without having to go the public/private key path. This
includes faking presence.

> [Deleted section on client-client security]

client-client encryption is a good thing - it prevents those nasty
jabber admin people from peeking at conversations.
 
> otherwise, making Jabber, the server and protocol, secure in any way w/o
> that encryption is essentially impossible or will be very limiting in the
> functionality and adaptability of the system.

> What is also good to keep in mind, is that Jabber is designed to connect
> to other systems, and for the most part, there will be no feasable way to
> guarantee the security of messages incoming from those other systems.

These systems can be identified as insecure. Something like SMTP's
Apparently-From: (which works!).

>Dylan Adams wrote:
> > Am I the only one who thinks anonymous users aren't a good idea?
> > 
> > Anonymous users make it too easy to do evil things. Flooding, spamming, 
> > bombing. Just about every bad 'ing in the book.

This is a good point.  I have a system which progessively gives a user
worse performance if they abuse the system. A good principle is to have
a user's performance behave twice as bad than if everybody was doing the
same as they were. I do this by introducing artificial delays to responses
once their "load average" reaches a certain level.

Anonymous users make doing this tricky, since you can't necessarily identify
if it's an individual abusing the system or a group doing normal stuff,
but I'm sure you could find a reasonable solution. [Maybe just - if you
use a real client it will be much faster ;]

Tim