This thread is for technical discussion only, for your personal opinion about this topic please use the thread "Mojang chat report".
The purpose of this thread is to share knowledge, prevent abusing the system and maybe improving it.
My knowledge at this point about the system is: Every player message received by the server (ServerboundChatPacket) contains a timeStamp and a saltSignature. These fields are passed to all receiving players via the ClientboundPlayerChatPacket. That means the client is creating the saltSignature.
Explanation of acryonyms:
• Sender: The client, who sent the message
• Reporter: The client, who reported the message from sender
• Game server: The game server both clients are online
• Auth server: The authentification server of mojang, used for identification (and probably reporting)
I have a few questions in terms of verification of the report:
1. What exactly is the saltSignature? It is a hash, the encrypted message, an id or whatelse?
2. Is the saltSignature or raw message of sent messages simultaneously sent to the Mojang auth server?
3. If 2 is true, who sends this information to the auth server? The sender, the game server or both?
4. If 2 is false, how is ensured that the reporter don't report self created fake signatures of the sender?
5. What happens if the server or client manipulate the saltSignature?
The purpose of this thread is to share knowledge, prevent abusing the system and maybe improving it.
My knowledge at this point about the system is: Every player message received by the server (ServerboundChatPacket) contains a timeStamp and a saltSignature. These fields are passed to all receiving players via the ClientboundPlayerChatPacket. That means the client is creating the saltSignature.
Explanation of acryonyms:
• Sender: The client, who sent the message
• Reporter: The client, who reported the message from sender
• Game server: The game server both clients are online
• Auth server: The authentification server of mojang, used for identification (and probably reporting)
I have a few questions in terms of verification of the report:
1. What exactly is the saltSignature? It is a hash, the encrypted message, an id or whatelse?
2. Is the saltSignature or raw message of sent messages simultaneously sent to the Mojang auth server?
3. If 2 is true, who sends this information to the auth server? The sender, the game server or both?
4. If 2 is false, how is ensured that the reporter don't report self created fake signatures of the sender?
5. What happens if the server or client manipulate the saltSignature?
Last edited: