Skip to content

Instantly share code, notes, and snippets.

@kennytv
Last active September 7, 2024 18:09
Show Gist options
  • Save kennytv/ed783dd244ca0321bbd882c347892874 to your computer and use it in GitHub Desktop.
Save kennytv/ed783dd244ca0321bbd882c347892874 to your computer and use it in GitHub Desktop.
Signed Chat and Chat Types

Signed chat

This gist intends on clearing up some of the misinformation surrounding signed chat/the reporting feature Mojang has added to Minecraft 1.19.1. Here you can find both technical information as well as a general explanation of how these work.

Profile keys

After joining a server, clients now send a profile key used for verifying a message's authenticity. This key and thus the whole signing process is optional, but by default, servers enforce secure profiles for clients to send chat messages. Whenever the player sends a chat message and has a key associated, the message will be signed using their own private key, which the server then verifies using the public key sent after join. Assuming signature, timestamp, and message contents line up, the message goes through.

On the other end, clients can also require all broadcasted player messages to be signed, disregarding the ones without sender verified signatures.

Message signatures

Every signed message's signature include the sender's UUID matching the profile key's identity, a randomly initialized session UUID, a timestamp (though that cannot be fully verified with untrusted clients/servers), the signed message, and a random salt.

A message's signature also includes a message index that the client increments with each message. With the index being verified by both server and other clients, you cannot reorder messages or leave them out without knowing something happened between two messages (although you cannot determine when, to whom, or whether it was commands and/or messages inbetween).

Another important part of the signature is the list last seen messages. The signatures of the last 20 messages the client has seen will be cached and be packed into chat messages and their signature. This is used to verify that, up to a certain point to guarantee faithful context, no messages of other players have been omitted in a report and that no messages have been added to the given context after the fact either.

Hiding or retroactively removing messages

With signed messages, Mojang finally introduced a packet servers can use to retroactively remove already sent out messages. So if you want to clear chat or remove individual messages without having to spam empty messages that only move up the previous messages, you can properly remove them now using the ClientboundDeleteChatPacket packet - the only requirement for this is that the message to be removed is a properly signed player message. Since 1.19.3, messages will be displayed for at least 3 seconds before being removed, and a removal still leaves a stub behind (saying that a chat message has been removed where the message previously was).

Since 1.19.3, you can freely cancel signed chat messages or send them to a limited number of players without breaking the chat chain. Players will instead use the signed index to make sure messages are send and included incrementally.

Modifying chat messages through chat previews

... You don't anymore; chat previews have been removed entirely in 1.19.3. With this, changed messages look a lot less scary (as opposed to unsigned messages) and you can still see the original message's content.

Signed command arguments

Since commands such as /say, as well as custom commands to broadcast messages or send them to a certain group of people also result in "player messages" that you would want to have verified, text arguments in commands will also be signed by the client. With the given signature, you can then distribute the message yourself and still have it show up as a signed player message.

In the wild, you can see this being used in Vanilla's say, me, msg, teammsg, ban, banip, and kick commands.

Signed/unsigned player chat and system chat

There are two different kinds of chat messages now; player chat and system chat. Player chat is accompanied by the message signature, system chat has no special format or signature attached.

You can optionally attach an unsigned component to any player chat message, which will give the message a light gray indicator on the left with a hover over the message reveiling the original message's content. If only styling changed on the message and the actual plain text is still the same, the message will appear without the indicator.

You can also apply filter masks to messages without making them appear as unsigned messages, where bad words are replaced with a string of # characters.

If you go as far as sending a player chat message with an invalid signature, it will look like this: invalid signature

System chat messages also have a gray indicator.

Custom formats using chat types

While the message always needs to be verified by the player that sent it, player display name, team name, and surrounding format can be freely defined by the server.

One of the default chat types looks like this when serialized:

         {
            "name":"minecraft:team_msg_command",
            "id":3,
            "element":{
               "chat":{
                  "translation_key":"chat.type.team.text",
                  "parameters":[
                     "team_name",
                     "sender",
                     "content"
                  ]
               },
               "narration":{
                  "translation_key":"chat.type.text.narrate",
                  "parameters":[
                     "sender",
                     "content"
                  ]
               }
            }
         },

The decoration format for the chat display here resolves as %s <%s> %s, then using the 3 parameters team_name, sender, and content. Even though the decoration element only takes a translatable argument, you can simply enter a plain string as the key that will be displayed; you can try this out by using the following command: /tellraw @s {"translate":"Hello [%s]", "with":["world"]}

Chat type formats can be easily made custom, e.g. turning the translatable into plain text like: 🚩 Broadcast by %s: %s 🚩 and only taking the sender and content parameters, to give just one example. In addition to the text display, you can also define the message to be narrated (also using a different number of arguments and a different surrounding format) and/or displayed in the actionbar as "game info". In the style field you can also apply custom formatting (color, font, italics, hover/click events, etc.) to the entire message/until the sender or content component changes the format again.

Custom chat types can be added using datapacks or by modifying the chat_type registry in the server (which modded servers such as Paper will need to add API for in the future). Custom chat types will then be sent to each player once when they join. With this, you can in theory also send the same message using different formats to different players, only the actual content is always fixed as part of the signed message.

You can find a full list of the Vanilla chat types here.

FAQ (Frequently Asked Questions)

Before we part ways again, here are answers to some of the more common questions. Mojang's FAQ has been updated to answer more of the pressing questions, so it's definitely worth taking a look at.

Can Microsoft/Mojang see all of my messages?

No, only reported messages are sent away for processing.

What about the currently known exploits?

Mostly non-issues: guardian always leaves a trace when you're reported, gaslightv2 usually leaves a trace or just becomes silly when you report someone else, and gaslightv3 falls into the same category, where "yes" or "I hate them" are nothing that will reasonably be acted upon (also see below for more info). Basically, this Tweet.

Additionally, since 1.19.3, messages can only be removed 3 seconds after first appearing, and will leave a stub instead of fully removing the line.

Am I going to be banned for joking with my friends or writing in all caps?

No, Mojang have made clear they only intend on hunting down the worst of the worst (suicide threats, racial slurs, doxing, etc.). All reports will be handled in human review (aside from them most likely pre-filtering malicious reports before the final decision is made). See here for a detailed list of punishment reasons. You can still dick around with your friends.

What if someone spam reports me?

Then they get temporarily or permanently banned; the number of reports does not matter.

Can't someone impersonate me and get me banned?

No, they need the private key only you and Mojang have to sign messages as coming from your account. You cannot be impersonated unless you download a stupidly malicious client/mod, and even then you can still appeal.

What if my messages are taken out of context?

Reports require and automatically send a handful of messages around the selected ones to be included as context. You cannot omit or add messages from/to reports without making it look fishy. There are yet to be given examples of messing with context that would realistically get you banned, even just temporarily.

Bedrock's text filtering is horrible, is that also going to come to Java?

That's simply not going to happen considering how different the underlying tech of filtering vs. reporting/chat signing is and the general nature of 3rd party servers.

Are all bans permanent?

No, and if you think you were banned without reason, you can make an appeal.

Can servers disable the reporting feature?

Yes, very easily. However, considering this comes at the cost of effectively taking power away from your users, making them more vulnerable to repeated bullying, it'd not be as merciful of a move as you might think it is.

Players may also opt-in to only display signed (and thus reportable) messages.

What if their moderation team is terrible?

A lot of people have voiced concerns regarding Mojang possibly outsourcing message moderation and thus having a poor quality of report processing. While it is a somewhat reasonable fear, this is still based on extremely high amounts of speculation. Looking at the facts, Microsoft already has a well working chat moderation at xbox live, where no such drama of false bans or being banned because you spoke out negatively about Microsoft has occurred - the rules regarding Minecraft chat are also a lot more lenient compared to that.

With this in mind, such speculation does not make for a good argument and I implore you to wait and see what actually happens. If your worst fears do end up coming true and false bans occur with an additional lack of appeal processing, I myself will be sure to join the riot as well and provide easy to use means to disable reporting.

Why can I be banned when playing on a private server I own?

You're using Mojang's client, Mojang's server, and Mojang's services on a massive social platform they still have the responsibility to moderate; they're very much in their right to do that. You won't be banned if either your friends don't feel attacked by your messages or you just disable reporting with a plugin or mod.

Howvever, opinion time: Everything you do or say has consequences, even towards friends, and even if you don't realize they exist. You're not going to be banned for a playful and harmless insult, but considering the large number of children and young adults playing the game, such a reporting feature was long overdue.

Someone who is toxic on one server is likely to behave the same on other servers as well. You might be capable of handling simple disputes and insults, but Mojang is better equipped to properly deal with people putting out personal threats, child predators and the alike than you are. This also includes the smaller or even private servers.

Proper moderation takes time, and a lot of servers aren't able to provide that or willfully neglect it. Nevertheless, you can still easily lever out reporting on your server if you wish to do so.

I still have issues with this, what can I do about it?

Whatever you do, don't join the angry mob; instead, provide constructive and useful feedback either on Minecraft's feedback site or open a ticket on their bug tracker - and remember to keep it civil.

... what if I just want an opt-out

You already have one. Ignoring the technical side of it, just imagine what Mojang would look like if they gave bad people the option to disable industry-standard player safety features.

@kennytv
Copy link
Author

kennytv commented Aug 4, 2022

It was an issue, already fixed on Paper 1.19.1 and Vanilla 1.19.2-rc1, but the "only" damage it was able to cause was disconnecting newly joining players (as opposed to exploiting chat reporting). Just make sure you're on the latest version of Paper if you're on 1.19.1.

@kennytv
Copy link
Author

kennytv commented Aug 4, 2022

PSA if you use the popular NoChatReports Fabric/Forge mod: Remove it immediately or at the very least don't join servers enforcing secure chat with the mod enabled, since there is a very high likelyhood the mod actually opens you up to an otherwise non-existent exploit by disabling basic chat chain validation the Vanilla client usually executes.

This is pretty much a confirmed attack vector and the author has been notified in private (... as you should do with any exploit). He doesn't seem to understand the underlying technicalities and thus the severity of the issue yet, but other people around him, including nodus devs, seem to have at least realized there is some issue.

@Madis0
Copy link

Madis0 commented Aug 5, 2022

If you know what exactly is broken, why not PR a fix?

@kennytv
Copy link
Author

kennytv commented Aug 5, 2022

I told him exactly what he has to do yesterday, he can use that information to fix it himself if he cares to. I don't use the mod and it's obvious the author doesn't fully understand secure chat functionality, so even with this fixed I still wouldn't recommend actually using it. There are far simpler and safer mods that remove the profile key and signing, but otherwise leave the security relevant parts of code untouched... There's just too much irony in a mod wanting to protect you from false reports allowing you to be falsely reported.

@Madis0
Copy link

Madis0 commented Aug 5, 2022

Right. Isn't this something Mojang can and should fix server-side/implementation-side though?

@kennytv
Copy link
Author

kennytv commented Aug 5, 2022

No, this has nothing to do with the vanilla server or client. A malicious server and client were able to pretty easily properly gaslight any player with NCR (!) that joined their server, leaving no traces for Mojang to find out the chain was tampered with (unlike guardian and the most damning cases of gaslightv2 for example, where there are certain traces of tampering). Looks like NCR's vulnerability has been fixed now, but I'd still very much recommend not using that mod specifically, as he tries to downplay the issue as "unchecked speculation" and still has other (less severe) validation issues in the server implementation of the mod for example.

If you really want to continue using such a mod, instead, use FreedomChat as a server-side Paper plugin, Simply No Report as a Fabric server mod, or anything else on the client (I don't know of any good examples, but there probably is at least one).

@ItsCryptic
Copy link

Question regarding version support on servers: Since some servers do use ViaVersion and other methods to support older clients, and if you have enforce-secure-profile on, will the client still be able to see the message from a 1.18.2 player?

@ItsCryptic
Copy link

As far as I know 1.18.2 has no chat signing at all

@kennytv
Copy link
Author

kennytv commented Aug 7, 2022

You just have to disable the option if you want to let older clients join

@AceSevenFive
Copy link

Since kenny deleted the previous comment (I can't imagine why):

PSA if you use the popular NoChatReports Fabric/Forge mod: Remove it immediately or at the very least don't join servers enforcing secure chat with the mod enabled, since there is a very high likelyhood the mod actually opens you up to an otherwise non-existent exploit by disabling basic chat chain validation the Vanilla client usually executes.

NoChatReports won't let you join a server with enforce-secure-profile enabled anyway without bypassing a warning screen.

@xXGucciferXx
Copy link

xXGucciferXx commented Aug 9, 2022

Gaslighting V3 (Server-side) was released, demonstrating even more ways to abuse the Chat Reporting feature.
https://www.youtube.com/watch?v=Pz5iGzuNnNU

@kennytv
Copy link
Author

kennytv commented Aug 9, 2022

Gaslighting V3 (Server-side) was released, demonstrating even more ways to abuse the Chat Reporting feature. https://www.youtube.com/watch?v=Pz5iGzuNnNU

Yep, definitely not good such an issue exists. Although it falls into the same category as v2, where "yes" or "I hate them" is nothing that will reasonably be acted upon anyways, so 🤷‍♀️. Basically, https://twitter.com/Xilefian/status/1556998020285300737.

In any case, if you want a way to immediately realize a server is trying to dupe you with that and that you should probably leave it and never come back, you can use this mod: https://modrinth.com/mod/disablemessagedeletion to see if someone quickly tries to remove a message and you see that and other messages in their full, fishy form.

@xXGucciferXx
Copy link

xXGucciferXx commented Aug 11, 2022

Basically, https://twitter.com/Xilefian/status/1556998020285300737.

I see. I just saw a response by a Nodus dev on that tweet.
According to Gildfesh:

The mod is both a client and server mod. When installed on the server, it has that behaviour. On the client it uses the previously demonstrated DM trick. It has had a "detectability challenge" in the repo for a few days and so far no one has been able to tell which is which.

(https://twitter.com/Gildfesh/status/1556999614439751681)

Although it falls into the same category as v2, where "yes" or "I hate them" is nothing that will reasonably be acted upon anyways

Well, to be fair, that obviously was just an example though.

@QuickWrite
Copy link

In any case, if you want a way to immediately realize a server is trying to dupe you with that and that you should probably leave it and never come back, you can use this mod: https://modrinth.com/mod/disablemessagedeletion to see if someone quickly tries to remove a message and you see that and other messages in their full, fishy form.

The problem with that is that many people don't even know about the issue and so are vulnerable to that and secondly another problem is that I need to download a mod so that I am safer. Why doesn't Mojang do that as they are the reason why this is a problem in the first place (sending for example the time it was hidden with it).

@kennytv
Copy link
Author

kennytv commented Aug 14, 2022

Well as I said, it's unlikely such reports will actually put you into any danger, most likely even have the opposite effect and incriminate the reporter. My mod is just to put such attempts to light, even if they don't go anywhere. People forget that context wasn't added so you can incriminate someone, but to make sure you're not unfairly banned when looking at the invidual messages of the reported player. Just taking Mojang's word on it, a referential/vague response is not going to get you banned, no matter what a malicious party might try to pretend you replied to.

... that doesn't mean it's not an issue at all, it very much is an issue; it's just not an actual exploit or dealbreaker that needs a proper solution immediately as it can (and supposedly is) reasonably taken into account when handling reports

@PortableGames
Copy link

Screenshot_20221113-161824

Since 22w43a

@kennytv
Copy link
Author

kennytv commented Dec 13, 2022

The gist has been updated to hopefully include all 1.19.3 changes, those being:

  • Chat preview has been removed entirely, meaning you will always be able to see the original message in chat or by hovering over a signed message with changed contents
  • Signed, but changed messages look less extreme with only a gray indicator
  • Profile keys are no longer required to join on servers with enforce secure profile enables, but only to send chat messages
  • Chat message deletion has also been changed, so that messages will be displayed for at least 3 seconds before being removed, and a removal still leaving a stub behind (saying that a chat message has been removed where the message previously was)
  • Private messages are no longer signed, so you cannot use last seen messages to look for vanished players or to try to find out who is sending messages in private channels

Also added a short line on being able to filter parts of a message (replacing bad words with #).

This update made support of signed chat on proxies such as Velocity a lot easier and generally reduced complexity of the system. They haven't quite fixed all of my gripes, but most of them have been ฅʕ•̫͡•ʔฅ

@Madis0
Copy link

Madis0 commented Dec 13, 2022

As of 1.19.3, up to how many messages are included in a report?

@kennytv
Copy link
Author

kennytv commented Dec 13, 2022

As of 1.19.3, up to how many messages are included in a report?

Looks like it is 9 leading messages for every selected chat message, with a max of 40 to be selected.

@ZerefSoul
Copy link

You said now it's possible to remove specific chat messages with ClientboundDeleteChatPacket.
I'm working on a plugin and I could use it, but I don't find any documentation (It is present here, but without instructions or method usage: https://nekoyue.github.io/ForgeJavaDocs-NG/javadoc/1.19.3/net/minecraft/network/protocol/game/ClientboundDeleteChatPacket.html#handle(net.minecraft.network.protocol.game.ClientGamePacketListener ).
Could you give me an example of using ClientboundDeleteChatPacket to delete an already sent message (for a specific Player)?

@kennytv
Copy link
Author

kennytv commented May 4, 2023

You said now it's possible to remove specific chat messages with ClientboundDeleteChatPacket. I'm working on a plugin and I could use it, but I don't find any documentation (It is present here, but without instructions or method usage: https://nekoyue.github.io/ForgeJavaDocs-NG/javadoc/1.19.3/net/minecraft/network/protocol/game/ClientboundDeleteChatPacket.html#handle(net.minecraft.network.protocol.game.ClientGamePacketListener ). Could you give me an example of using ClientboundDeleteChatPacket to delete an already sent message (for a specific Player)?

Sure - in it's raw form, you would need to take the signature sent in a ClientboundPlayerChatPacket and throw that into new MessageSignature.Packed(signature) to use in the deletion packet. I believe some modding platforms already have higher-level API for it, otherwise you can for example get a couple of signatures of previously sent messages in LastSeenMessagesTracker, or track them yourself.

@Magicrafter13
Copy link

Magicrafter13 commented Jun 23, 2023

You're using Mojang's client, Mojang's server, and Mojang's services

All three of these statements are false. I don't use the official launcher, it's my server not their's so don't even try going there, and therefore none of their services.

I assume COMPLETE ownership and rights over my server - I haven't even agreed to their EULA.

I also do not care what someone has done on another server, all that matters to me is their conduct on mine. If they're banned from another that should not affect their ability to play on mine.

@bluebear94
Copy link

All three of these statements are false. I don't use the official launcher, it's my server not their's so don't even try going there, and therefore none of their services.

Nope, your statement is false. What launcher you use is immaterial; you’re still using the official Minecraft client jar. In addition, all servers that are not on offline mode use Mojang’s authentication services to verify incoming users.

(When KennyTV mentions “Mojang’s server”, I assume he means the servers running the authentication services, not any of the servers you play on.)

I assume COMPLETE ownership and rights over my server - I haven't even agreed to their EULA.

Yes, you have, unless you’re using custom server software that doesn’t use any code from the official server software. The Minecraft server software requires explicitly acknowledging this by editing the eula.txt file.

@Magicrafter13
Copy link

I just modified the server jar to bypass the eula check.

@bluebear94
Copy link

I just modified the server jar to bypass the eula check.

That’s on you.

@GreatWyrm
Copy link

Just wanted to pop into say that yes, you have agreed to their EULA.
Quote from the EULA page.

If you buy, download, use or play our Game, you are agreeing to stick to the rules of these end user license agreement ("EULA") terms. If you don't want to or can't agree to these rules, then you must not buy, download, use or play our Game.

And saying that you assume complete ownership rights over your server is a bit strange, as unless you've written it from scratch, it's still (mostly) Mojang's code that's running the server.

@Magicrafter13
Copy link

That's the EULA for their client (which also was not required to buy the game activation code, but that's a long time ago), not their server software which is a free direct download.

This is just another of the common proprietary software L's. It's all quite unethical.

@bluebear94
Copy link

That's the EULA for their client (which also was not required to buy the game activation code, but that's a long time ago), not their server software which is a free direct download.

Clearly you haven’t read the EULA:

And so that we are crystal clear, "the Game" or "what we have made" includes, but is not limited to, the client or the server software for our Game and includes Minecraft and Minecraft: Java Edition on all platforms.

This is just another of the common proprietary software L's. It's all quite unethical.

I’m not trying to argue about the ethics of this; I’m just correcting incorrect information.

@oxodao
Copy link

oxodao commented Nov 21, 2023

That's the EULA for their client (which also was not required to buy the game activation code, but that's a long time ago), not their server software which is a free direct download.

This is just another of the common proprietary software L's. It's all quite unethical.

The EULA for the server is the same. When you run the server software jar, it generates a eula.txt that you have to agree to run the software:

#By changing the setting below to TRUE you are indicating your agreement to our EULA (https://aka.ms/MinecraftEULA).
#Fri Nov 17 23:59:33 CET 2023
eula=false

The link redirects to the main and only EULA. If you really don't like proprietary software, you can always use one of the multiple open source implementations. But AFAIK you still have to rely on the official client as the only opensource one I know is Truecraft which development was halted a long time ago

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment