XSF Discussion - 2018-01-12


  1. pep.

    > going by this page: http://search.wensley.org.uk/chat/ > do rooms about clients count? :) > if not, IT-MSE probbaly counts, whatever that is > GNU/Linux is second (30) This is sad :(

  2. pep.

    OTOH, I would probably bridge my room to IRC if is I had a room here for some random project

  3. zinid

    moparisthebest, now I can refer to your article! :D https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L191

  4. edhelas

    https://nl.movim.eu/?blog/arie@movim.eu/0d590c16-75f9-4683-835b-c4003dcebc44

  5. zinid

    yeah

  6. zinid

    I also wonder why Signal is considered more secure than Whatsapp?

  7. zinid

    same proprietary silo

  8. mathieui

    hm no?

  9. mathieui

    signal isn’t controled by facebook

  10. zinid

    and?

  11. mathieui

    and iirc the server can do less things in signal

  12. zinid

    like requesting private key?

  13. Ge0rG

    Signal is controlled by moxie, who used to be an anarchist crypto nerd before he got bought.

  14. zinid

    so this is a question of trust? which is very personal

  15. zinid

    for example, why would I trust moxie?

  16. edhelas

    don't

  17. edhelas

    but we all know the position of moxie on federation/decentralisation

  18. daniel

    Ge0rG: are anarchist crypto nerds those assassination market people?

  19. daniel

    All pretty legit and trustworthy

  20. Ge0rG

    daniel: I'm pretty sure there are different sub-groups.

  21. zinid

    edhelas, "all"? I knew about moxie from this conference (or conversations@, don't remember), I know jack shit about moxie actually 🙂

  22. edhelas

    Holger zinid should we clarify 0060 for this one ? https://github.com/processone/ejabberd/issues/2129

  23. zinid

    edhelas, I'm no pubsub expert, sorry, I barely can understand the problem

  24. Holger

    Yes this should be clarified if you ask me.

  25. MattJ

    I don't see what there is to clarify

  26. MattJ

    Someone might think that deleting their account allows their pubsub nodes to be modified by others?

  27. Holger

    MattJ: Both you and me have write access to a node. Does that mean you can override items published by me?

  28. Holger

    MattJ: That's not clear (to me) from reading 0060. See that issue.

  29. MattJ

    Ok, I see

  30. MattJ

    It didn't see clear to me that that's what the issue was about

  31. Zash

    Item ownership?

  32. MattJ

    Opens a can of worms

  33. zinid

    there is a similar problem with MUCs (if I understand it correctly): account deletion doesn't trigger deletion of ownership in remote MUCs

  34. zinid

    so you can re-register the account and become an owner 😉

  35. Holger

    Yeah. Or just become member of a members-only group.

  36. Ge0rG

    Now I can't delete accounts any more? I need to convert them all into tombstones?

  37. MattJ

    Ge0rG, welcome to federation

  38. zinid

    a client probably needs to clean up everything carefully, but that's PITA

  39. Ge0rG

    zinid: you can't have a client clean up everything if you ban a user.

  40. MattJ

    That's not always feasible

  41. Ge0rG

    Also not all clients of a user know their remote MUC ownerships

  42. Kev

    More or less you can never delete accounts safely in XMPP, you must always tombstone.

  43. Kev

    At least for federated systems you don't control.

  44. zinid

    yeah, so just don't delete your account 🙂

  45. Holger

    Anyway those are separate problems. The user who created that ejabberd issue is indeed fighting with deleted accounts (and I see the problem), but he stumbled over that PubSub question which is just as unclear if the accounts in question still exist.

  46. zinid

    however, server admins can do that 🙂

  47. Holger

    I clearly see the use case for giving multiple JIDs write access to a node without allowing them to delete/override each others items. So if 0060 doesn't make this possible that's bad.

  48. Holger

    I think this should be the default behavior, just needs some clarification.

  49. intosi

    Holger: you mean publish-only?

  50. Holger

    If there's also a use case for allowing to delete/override each others items then 0060 needs additional magic.

  51. intosi

    Although that precludes reading items.

  52. Holger

    intosi: You're always able to edit/delete items you published yourself.

  53. Holger

    (Which can also be a problem.)

  54. Holger

    This is just about messing with stuff published by others.

  55. Ge0rG

    That sounds like an Enterprise Feature.

  56. Holger

    I think people like goffi and edhelas are having a hard time trying to use 0060 for very basic features ...

  57. edhelas

    just a bit :-)

  58. MattJ

    It's because XEP-0060 is too generic

  59. MattJ

    Which means for most practical applications, it doesn't suffice, or has to be made more complex

  60. waqas

    It lacks proper turning completeness though…

  61. Zash

    Small change to the notification transformation settings so you can make it send iq stanzas, and then do pubsub that way

  62. Ge0rG

    > And federation is possible over XMPP with Signal: https://signal.org/blog/the-ecosystem-is-moving/ Heh. I'm pretty sure that link conveys the absolute opposite of the stated message.

  63. Zash

    Wait what

  64. Ge0rG

    From https://news.ycombinator.com/item?id=16127570

  65. Zash

    XMPP over Signal?? Why would you even

  66. daniel

    I by the love how their method for 'private contact discovery' is basically we just send everything to an Intel black box because Intel knows their shit, right

  67. daniel

    But that's unrelated to random guy on HN not knowing the fuck he is talking about

  68. Ge0rG

    Yeah.

  69. Ge0rG

    Recently I had some time on my hands and read through moxie's old stories, about train riding through the US and home squatting. And that's so absolutely different from the "stop calling your product like our product" moxie, it's hard to grasp

  70. Ge0rG

    The ones under https://moxie.org/stories.html

  71. Zash

    "This is your brain. This is your brain on capitalism."

  72. daniel

    Isn't there one where he was almost raped while hitch hiking or something?

  73. daniel

    I think I read those stories some years ago as well

  74. Ge0rG

    daniel: yeah, and he almost died while sailing. And some others.

  75. moparisthebest

    zinid: ah excellent (about ejabberd config pointer)

  76. moparisthebest

    On a related note, does ejabberd TLS support SNI for cert selection?

  77. Holger

    moparisthebest: Sure, zinid added that ages ago.

  78. Holger

    (Last month IIRC.)

  79. moparisthebest

    Nice

  80. Zash

    Model changes :/

  81. moparisthebest

    SNI is shockingly absent outside https it seems, I had to add it to 2 IRC clients and K-9 mail on Android when I started this whole multiplexing business

  82. moparisthebest

    It's been around for what 14 years at this point?

  83. Zash

    Does anything but HTTPS actually need it?

  84. Holger

    IRC has no STARTTLS I guess :-)

  85. Holger

    But yes mail doesn't need it.

  86. Zash

    For weird reasons tho

  87. moparisthebest

    everything that uses TLS really

  88. moparisthebest

    imap and smtp over TLS need it

  89. moparisthebest

    not STARTTLS, but TLS that is

  90. moparisthebest

    the funny thing is, as IPv4 gets harder and harder to get, SNI will become more and more needed by everything

  91. moparisthebest

    and then as IPv4 is replaced by IPv6, SNI will no longer be needed at all essentially 🙂

  92. Holger

    moparisthebest: Sure if you don't use the alternative solution available for email, then you need it :-)

  93. moparisthebest

    starttls should just die everywhere

  94. Zash

    nooooooo

  95. moparisthebest

    I think there is even such an RFC for all the email protocols right?

  96. Zash

    Pretty sure all email protocols have starttls

  97. Zash

    Pretty sure I've never seen SMTP over TLS

  98. moparisthebest

    all of them have starttls options and direct-tls options, and an old RFC deprecated direct-tls, and a new one I think re-instates it and deprecates starttls

  99. moparisthebest

    over port 465 is the standard for that Zash

  100. moparisthebest

    for client submission port over direct tls

  101. Zash

    Never seen or heard about anyone ever using that

  102. moparisthebest

    yea the standard smtp ports are 25 (for s2s you could say), 587 for submission (starttls), and 465 for smtps (direct tls), 465 pre-dated 587 and then was deprecated and assigned to some protocol no one uses...

  103. Holger

    Zash: We've been offering SMTPS and IMAPS next to STARTTLS for ages and I've seen many other providers doing so.

  104. moparisthebest

    found it https://datatracker.ietf.org/doc/draft-ietf-uta-email-deep/

  105. moparisthebest

    Cleartext Considered Obsolete: Use of TLS for Email Submission and Access

  106. moparisthebest

    ie starttls must die

  107. moparisthebest

    on an XMPP related note, they chose the terminology 'Implicit TLS' vs what we chose of 'Direct TLS' so it might make sense to update 368 that way

  108. mathieui

    yay, finally got a vacation to attend the summit

  109. moparisthebest

    ha they chose _submissions._tcp vs my initial preference of _submission._tls too

  110. Ge0rG

    Anyone seen stpeter recently?

  111. Ge0rG

    moparisthebest: is the last "s" for "secure" or for plural?

  112. moparisthebest

    same as xmpps, secure

  113. moparisthebest

    or ssl ? 😛

  114. Ge0rG

    ss-what?

  115. moparisthebest

    it's not like anyone is going to change https to httpt

  116. Ge0rG

    did you mean: htttp? :P

  117. Zash

    htls://

  118. moparisthebest

    hpkp:// where every site has a pinned public key? now that's something I could get behind

  119. Zash

    ipfs?

  120. Ge0rG

    moparisthebest: and the host part is replaced by the key fingerprint. key fingerprint dot onion.

  121. moparisthebest

    more like cjdns

  122. Link Mauve

    “17:33:12 moparisthebest> Cleartext Considered Obsolete: Use of TLS for Email Submission and Access 17:33:20 moparisthebest> ie starttls must die”, you’ve said that a few times already, but that’s plain wrong, there is nothing more plaintext in StartTLS than in legacy TLS in XMPP.

  123. moparisthebest

    Link Mauve: but then why keep it

  124. Link Mauve

    Because a huge lot of software and deployments support it, and because there is no downside.

  125. Link Mauve

    There is a downside to the change though.

  126. Zash

    Changing security stuff for what amounts to a small round trip optimization is kinda scary.

  127. Zash

    And the thing about getting through firewalls will just further that arms race

  128. moparisthebest

    Way more software supports direct TLS

  129. Zash

    More popular != better

  130. moparisthebest

    But in this case it does

  131. Link Mauve

    moparisthebest, I just had a look at our server, we have a 1:10 ratio of users of legacy TLS vs. StartTLS.

  132. moparisthebest

    Link Mauve: do you have xep368 DNS records, and what preference order

  133. Link Mauve

    Yes, and same as the normal one.

  134. moparisthebest

    Wait same? What is the weight of each then

  135. Link Mauve

    Ah no, 8 0 for _xmpp-client and 10 0 for _xmpps-client.

  136. Link Mauve

    I remembered wrong.

  137. moparisthebest

    Ah ok well that's why then

  138. Link Mauve

    You can dig _xmpps?-client._tcp.jabberfr.org.

  139. moparisthebest

    You should test with them switched

  140. Link Mauve

    But why? I thought the only reason to have those was to bypass firewalls that intercept the plain text version and only allow TLS-looking ones.

  141. Link Mauve

    If a client fails to connect in StartTLS, but supports legacy TLS, it will just check again once the connection failed.

  142. Zash

    I thought the primary reason was to get through corporate firewalls that only allow http/https

  143. Link Mauve

    Yeah.

  144. Link Mauve

    That’s the only reason we have legacy TLS in the first place.

  145. Link Mauve

    We also have XEP-0156 deployed, which is another big one for those.

  146. moparisthebest

    Isn't 368 way easier and more efficient than 156

  147. moparisthebest

    If getting around firewalls is your goal that is

  148. Link Mauve

    Until your firewall starts blocking anything which doesn’t announce it is HTTP.

  149. moparisthebest

    Bottom line though if xmpp was being designed today do you doubt it would only support direct TLS?

  150. Link Mauve

    Because 0156 describes how to use this very HTTP everyone loves so much.

  151. Zash

    Weren't you the one who said "we'll still have websockets"?

  152. Link Mauve

    moparisthebest, that doesn’t matter, it has been invented twenty years ago, you can’t erase that.

  153. moparisthebest

    But you can move towards the ideal situation

  154. Link Mauve

    It’s not more ideal than the rest.

  155. moparisthebest

    If you are redesigning other parts might as well improve it all

  156. Zash

    I don't see how moving host and service multiplexing around the layers is an improvement.

  157. moparisthebest

    Link Mauve: wait you said 10% of your users are using the xep368 srv record? That seems huge if it's a lower priority

  158. Zash

    Link Mauve: Is it set up so you can detect connections that ignored or failed to get SRV records?

  159. Zash

    Like yax.im is, iirc.

  160. Link Mauve

    Zash, yes.

  161. Zash

    And, iirc, also produces depressing numbers.

  162. Zash

    Like how 90% of all users on a thing I used to run were using DIGEST-MD5 and the rest were using PLAIN

  163. moparisthebest

    That seems like a huge number of users that otherwise wouldn't be able to connect

  164. edhelas

    so looks like Movim is having a "okay" working solution to do video-conferencing with pure WebRTC and Jingle :)

  165. moparisthebest

    Also considering only a couple clients support it

  166. Link Mauve

    moparisthebest, or plain ignore the settings and connect to 5223 anyway.

  167. Zash

    or got SRV sorting wrong

  168. la|r|ma

    edhelas, did you try out cross-browser?

  169. moparisthebest

    Conversations does it right mixing and all, it would connect to 5222 if it could

  170. edhelas

    yup, working between chrome and firefox

  171. edhelas

    disabled on mobile for now

  172. moparisthebest

    edhelas: would be great to get interop working with conversations too :)

  173. edhelas

    ping daniel :3

  174. la|r|ma

    edhelas: what about safari? (I worked with WebRTC for another project and it sucks to get it cross-browser)

  175. moparisthebest

    Did that xep work as is or did you find rough edges?

  176. edhelas

    I don't know if there's a WebRTC implementation in Java for Android

  177. edhelas

    la|r|ma don't know, don't have Macs at home :D

  178. la|r|ma

    you can use chromes libwebrtc on android

  179. moparisthebest

    edhelas: actually a conversations fork has webrtc support

  180. edhelas

    moparisthebest well I basically had everything in the XEPs to do the conversion between SDP and Jingle

  181. moparisthebest

    Just signaling doesn't use xmpp

  182. edhelas

    https://github.com/movim/movim/blob/master/lib/SDPtoJingle.php

  183. moparisthebest

    So take some code from there, implement signaling part with jingle, done

  184. la|r|ma

    moparisthebest, which fork?

  185. moparisthebest

    la|r|ma: uuuhhhhh author responded in that issue

  186. moparisthebest

    Spreedbox or something?

  187. Link Mauve

    edhelas, I’d really like to interoperate between the desktop and the web, I just sent an email to the Jitsi guys about that.

  188. edhelas

    sure, would love to try interroperability with Jitsi, and why not Dino one day :)

  189. edhelas

    moparisthebest I've also anotated the XEP numbers in the file :)

  190. la|r|ma

    I build a PoC for Jingle with Dino half a year back (only basic unencrypted audio via ice-udp)

  191. edhelas

    I'm really impatient to show all those nice features interroperable between Dino, Conversations, Movim and others :)

  192. edhelas

    SàT also for the social part

  193. moparisthebest

    Would that part of movim work with prosody?

  194. edhelas

    eheh, nothing relies on the servers :D

  195. edhelas

    it's a pure client implementation

  196. edhelas

    well I still have to implement TURN/STUN if the XMPP server offers it

  197. moparisthebest

    edhelas: will I meant movim in general

  198. edhelas

    not yet

  199. edhelas

    still waiting for proper pubsub support

  200. moparisthebest

    I know it needs pep stuff prosody doesn't have yet

  201. moparisthebest

    But does plain chat and that webrtc stuff work

  202. edhelas

    yup

  203. moparisthebest

    I'll have to try it :)