On Mon, Oct 5, 2009 at 3:54 PM, Brian May <[email protected]> wrote: > > On Sun, Oct 04, 2009 at 03:16:05PM +0200, Rémy Sanchez wrote: >> Unlike SMTP, Wave require an authentication of the users. For that reason, I > > I am not really sure what the security measures are for federated sessions. > > e.g. could I connect to wave.google.com as a federated session and pretend to > be coming from wave.microsoft.com?
> I suspect the answer might be either "no" or "its more difficult then with > SMTP" however I am not sure of the details. It is not possible for one wave server to spoof another wave server. So, as long as the wave server implementation properly validates the author of deltas then impersonation will not be possible. >> think that you can easily ban spamers from wave servers. > > Hmm. Unlikely I think, they can just keep coming back with different accounts. This is similar to the problem ISPs have now. If Google notices a larger amount of spam content coming from bulletproof.com, they will likely just blacklist the whole domain. If I'm running mylittlewaveserver.com and I get spam from [email protected] I can just report the spammer to Google and they'll deal with it. > A potential problem with Wave, at the moment, is that users could be tricked > into thinking that a spammer is their friend if the spammer sets their user > name and icon to match. A difficult problem, I can't think of a good solution > here. This is currently a problem since the contributors of blips are self-reported (see the model: http://www.waveprotocol.org/draft-protocol-specs/wave-conversation-model). A secure wave client will need to extract the actual participant IDs from the wave deltas, then, for each blip, report all participants with deltas against that blip. The federation protocol is designed such that domain forgery is, for all practical purposes, impossible. An evil wave server could still allow users to forge each other, but this would be limited to users of that evil domain. An evil server would not be able to forge content due to content signing and signature verification. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Wave API" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-wave-api?hl=en -~----------~----~----~----~------~----~------~--~---
