Fake webId on LongChat #36
Comments
|
Yes the way chat works is naive from the security point of view. We'd need to check the whole shape, in fact, including the author as being really the user. We could also add to a shape automatic stamping with user and timestamp. Another way would be for each person to create and edit their own chat.ttl, and merge the messages from all of them, but we would need server functionality to automatically set the ACL for that file up. |
|
(Another whole direction is to request a change log to be kept for the resource. One keep the log of all the patches sent including their user, time, possibly IP address, etc. Anything added by a given user would be attributed in the chat to that user.) |
|
Other directions to go include digital signature of the message by the author. |
For Solidarity, or any LongChat on Solid, it is really easy to make a fake message as @aveltens pointed.
As the folder is open to everyone in writing, @aveltens wrote a message with a dc:creator Tim's webId. So I thought Tim has wrote the message.
And everyone can make a message with any webId.
This is a real problem, how can we be sure that the message is posted by the good webId
Can the server allow only writing when the webId is the same as the dc:creator ? But I use ldflex-query, that don't use batch/transaction, so how could be a whole transaction ( a group of statements ) blocked if webId is not dc:creator ?
The text was updated successfully, but these errors were encountered: