-
pep.
> going by this page: http://search.wensley.org.uk/chat/ > do rooms about clients count? :) > if not, IT-MSE probbaly counts, whatever that is > GNU/Linux is second (30) This is sad :(
-
pep.
OTOH, I would probably bridge my room to IRC if is I had a room here for some random project
-
zinid
moparisthebest, now I can refer to your article! :D https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L191
-
edhelas
https://nl.movim.eu/?blog/arie@movim.eu/0d590c16-75f9-4683-835b-c4003dcebc44
-
zinid
yeah
-
zinid
I also wonder why Signal is considered more secure than Whatsapp?
-
zinid
same proprietary silo
-
mathieui
hm no?
-
mathieui
signal isn’t controled by facebook
-
zinid
and?
-
mathieui
and iirc the server can do less things in signal
-
zinid
like requesting private key?
-
Ge0rG
Signal is controlled by moxie, who used to be an anarchist crypto nerd before he got bought.
-
zinid
so this is a question of trust? which is very personal
-
zinid
for example, why would I trust moxie?
-
edhelas
don't
-
edhelas
but we all know the position of moxie on federation/decentralisation
-
daniel
Ge0rG: are anarchist crypto nerds those assassination market people?
-
daniel
All pretty legit and trustworthy
-
Ge0rG
daniel: I'm pretty sure there are different sub-groups.
-
zinid
edhelas, "all"? I knew about moxie from this conference (or conversations@, don't remember), I know jack shit about moxie actually 🙂
-
edhelas
Holger zinid should we clarify 0060 for this one ? https://github.com/processone/ejabberd/issues/2129
-
zinid
edhelas, I'm no pubsub expert, sorry, I barely can understand the problem
-
Holger
Yes this should be clarified if you ask me.
-
MattJ
I don't see what there is to clarify
-
MattJ
Someone might think that deleting their account allows their pubsub nodes to be modified by others?
-
Holger
MattJ: Both you and me have write access to a node. Does that mean you can override items published by me?
-
Holger
MattJ: That's not clear (to me) from reading 0060. See that issue.
-
MattJ
Ok, I see
-
MattJ
It didn't see clear to me that that's what the issue was about
-
Zash
Item ownership?
-
MattJ
Opens a can of worms
-
zinid
there is a similar problem with MUCs (if I understand it correctly): account deletion doesn't trigger deletion of ownership in remote MUCs
-
zinid
so you can re-register the account and become an owner 😉
-
Holger
Yeah. Or just become member of a members-only group.
-
Ge0rG
Now I can't delete accounts any more? I need to convert them all into tombstones?
-
MattJ
Ge0rG, welcome to federation
-
zinid
a client probably needs to clean up everything carefully, but that's PITA
-
Ge0rG
zinid: you can't have a client clean up everything if you ban a user.
-
MattJ
That's not always feasible
-
Ge0rG
Also not all clients of a user know their remote MUC ownerships
-
Kev
More or less you can never delete accounts safely in XMPP, you must always tombstone.
-
Kev
At least for federated systems you don't control.
-
zinid
yeah, so just don't delete your account 🙂
-
Holger
Anyway those are separate problems. The user who created that ejabberd issue is indeed fighting with deleted accounts (and I see the problem), but he stumbled over that PubSub question which is just as unclear if the accounts in question still exist.
-
zinid
however, server admins can do that 🙂
-
Holger
I clearly see the use case for giving multiple JIDs write access to a node without allowing them to delete/override each others items. So if 0060 doesn't make this possible that's bad.
-
Holger
I think this should be the default behavior, just needs some clarification.
-
intosi
Holger: you mean publish-only?
-
Holger
If there's also a use case for allowing to delete/override each others items then 0060 needs additional magic.
-
intosi
Although that precludes reading items.
-
Holger
intosi: You're always able to edit/delete items you published yourself.
-
Holger
(Which can also be a problem.)
-
Holger
This is just about messing with stuff published by others.
-
Ge0rG
That sounds like an Enterprise Feature.
-
Holger
I think people like goffi and edhelas are having a hard time trying to use 0060 for very basic features ...
-
edhelas
just a bit :-)
-
MattJ
It's because XEP-0060 is too generic
-
MattJ
Which means for most practical applications, it doesn't suffice, or has to be made more complex
-
waqas
It lacks proper turning completeness though…
-
Zash
Small change to the notification transformation settings so you can make it send iq stanzas, and then do pubsub that way
-
Ge0rG
> And federation is possible over XMPP with Signal: https://signal.org/blog/the-ecosystem-is-moving/ Heh. I'm pretty sure that link conveys the absolute opposite of the stated message.
-
Zash
Wait what
-
Ge0rG
From https://news.ycombinator.com/item?id=16127570
-
Zash
XMPP over Signal?? Why would you even
-
daniel
I by the love how their method for 'private contact discovery' is basically we just send everything to an Intel black box because Intel knows their shit, right
-
daniel
But that's unrelated to random guy on HN not knowing the fuck he is talking about
-
Ge0rG
Yeah.
-
Ge0rG
Recently I had some time on my hands and read through moxie's old stories, about train riding through the US and home squatting. And that's so absolutely different from the "stop calling your product like our product" moxie, it's hard to grasp
-
Ge0rG
The ones under https://moxie.org/stories.html
-
Zash
"This is your brain. This is your brain on capitalism."
-
daniel
Isn't there one where he was almost raped while hitch hiking or something?
-
daniel
I think I read those stories some years ago as well
-
Ge0rG
daniel: yeah, and he almost died while sailing. And some others.
-
moparisthebest
zinid: ah excellent (about ejabberd config pointer)
-
moparisthebest
On a related note, does ejabberd TLS support SNI for cert selection?
-
Holger
moparisthebest: Sure, zinid added that ages ago.
-
Holger
(Last month IIRC.)
-
moparisthebest
Nice
-
Zash
Model changes :/
-
moparisthebest
SNI is shockingly absent outside https it seems, I had to add it to 2 IRC clients and K-9 mail on Android when I started this whole multiplexing business
-
moparisthebest
It's been around for what 14 years at this point?
-
Zash
Does anything but HTTPS actually need it?
-
Holger
IRC has no STARTTLS I guess :-)
-
Holger
But yes mail doesn't need it.
-
Zash
For weird reasons tho
-
moparisthebest
everything that uses TLS really
-
moparisthebest
imap and smtp over TLS need it
-
moparisthebest
not STARTTLS, but TLS that is
-
moparisthebest
the funny thing is, as IPv4 gets harder and harder to get, SNI will become more and more needed by everything
-
moparisthebest
and then as IPv4 is replaced by IPv6, SNI will no longer be needed at all essentially 🙂
-
Holger
moparisthebest: Sure if you don't use the alternative solution available for email, then you need it :-)
-
moparisthebest
starttls should just die everywhere
-
Zash
nooooooo
-
moparisthebest
I think there is even such an RFC for all the email protocols right?
-
Zash
Pretty sure all email protocols have starttls
-
Zash
Pretty sure I've never seen SMTP over TLS
-
moparisthebest
all of them have starttls options and direct-tls options, and an old RFC deprecated direct-tls, and a new one I think re-instates it and deprecates starttls
-
moparisthebest
over port 465 is the standard for that Zash
-
moparisthebest
for client submission port over direct tls
-
Zash
Never seen or heard about anyone ever using that
-
moparisthebest
yea the standard smtp ports are 25 (for s2s you could say), 587 for submission (starttls), and 465 for smtps (direct tls), 465 pre-dated 587 and then was deprecated and assigned to some protocol no one uses...
-
Holger
Zash: We've been offering SMTPS and IMAPS next to STARTTLS for ages and I've seen many other providers doing so.
-
moparisthebest
found it https://datatracker.ietf.org/doc/draft-ietf-uta-email-deep/
-
moparisthebest
Cleartext Considered Obsolete: Use of TLS for Email Submission and Access
-
moparisthebest
ie starttls must die
-
moparisthebest
on an XMPP related note, they chose the terminology 'Implicit TLS' vs what we chose of 'Direct TLS' so it might make sense to update 368 that way
-
mathieui
yay, finally got a vacation to attend the summit
-
moparisthebest
ha they chose _submissions._tcp vs my initial preference of _submission._tls too
-
Ge0rG
Anyone seen stpeter recently?
-
Ge0rG
moparisthebest: is the last "s" for "secure" or for plural?
-
moparisthebest
same as xmpps, secure
-
moparisthebest
or ssl ? 😛
-
Ge0rG
ss-what?
-
moparisthebest
it's not like anyone is going to change https to httpt
-
Ge0rG
did you mean: htttp? :P
-
Zash
htls://
-
moparisthebest
hpkp:// where every site has a pinned public key? now that's something I could get behind
-
Zash
ipfs?
-
Ge0rG
moparisthebest: and the host part is replaced by the key fingerprint. key fingerprint dot onion.
-
moparisthebest
more like cjdns
-
Link Mauve
“17:33:12 moparisthebest> Cleartext Considered Obsolete: Use of TLS for Email Submission and Access 17:33:20 moparisthebest> ie starttls must die”, you’ve said that a few times already, but that’s plain wrong, there is nothing more plaintext in StartTLS than in legacy TLS in XMPP.
-
moparisthebest
Link Mauve: but then why keep it
-
Link Mauve
Because a huge lot of software and deployments support it, and because there is no downside.
-
Link Mauve
There is a downside to the change though.
-
Zash
Changing security stuff for what amounts to a small round trip optimization is kinda scary.
-
Zash
And the thing about getting through firewalls will just further that arms race
-
moparisthebest
Way more software supports direct TLS
-
Zash
More popular != better
-
moparisthebest
But in this case it does
-
Link Mauve
moparisthebest, I just had a look at our server, we have a 1:10 ratio of users of legacy TLS vs. StartTLS.
-
moparisthebest
Link Mauve: do you have xep368 DNS records, and what preference order
-
Link Mauve
Yes, and same as the normal one.
-
moparisthebest
Wait same? What is the weight of each then
-
Link Mauve
Ah no, 8 0 for _xmpp-client and 10 0 for _xmpps-client.
-
Link Mauve
I remembered wrong.
-
moparisthebest
Ah ok well that's why then
-
Link Mauve
You can dig _xmpps?-client._tcp.jabberfr.org.
-
moparisthebest
You should test with them switched
-
Link Mauve
But why? I thought the only reason to have those was to bypass firewalls that intercept the plain text version and only allow TLS-looking ones.
-
Link Mauve
If a client fails to connect in StartTLS, but supports legacy TLS, it will just check again once the connection failed.
-
Zash
I thought the primary reason was to get through corporate firewalls that only allow http/https
-
Link Mauve
Yeah.
-
Link Mauve
That’s the only reason we have legacy TLS in the first place.
-
Link Mauve
We also have XEP-0156 deployed, which is another big one for those.
-
moparisthebest
Isn't 368 way easier and more efficient than 156
-
moparisthebest
If getting around firewalls is your goal that is
-
Link Mauve
Until your firewall starts blocking anything which doesn’t announce it is HTTP.
-
moparisthebest
Bottom line though if xmpp was being designed today do you doubt it would only support direct TLS?
-
Link Mauve
Because 0156 describes how to use this very HTTP everyone loves so much.
-
Zash
Weren't you the one who said "we'll still have websockets"?
-
Link Mauve
moparisthebest, that doesn’t matter, it has been invented twenty years ago, you can’t erase that.
-
moparisthebest
But you can move towards the ideal situation
-
Link Mauve
It’s not more ideal than the rest.
-
moparisthebest
If you are redesigning other parts might as well improve it all
-
Zash
I don't see how moving host and service multiplexing around the layers is an improvement.
-
moparisthebest
Link Mauve: wait you said 10% of your users are using the xep368 srv record? That seems huge if it's a lower priority
-
Zash
Link Mauve: Is it set up so you can detect connections that ignored or failed to get SRV records?
-
Zash
Like yax.im is, iirc.
-
Link Mauve
Zash, yes.
-
Zash
And, iirc, also produces depressing numbers.
-
Zash
Like how 90% of all users on a thing I used to run were using DIGEST-MD5 and the rest were using PLAIN
-
moparisthebest
That seems like a huge number of users that otherwise wouldn't be able to connect
-
edhelas
so looks like Movim is having a "okay" working solution to do video-conferencing with pure WebRTC and Jingle :)
-
moparisthebest
Also considering only a couple clients support it
-
Link Mauve
moparisthebest, or plain ignore the settings and connect to 5223 anyway.
-
Zash
or got SRV sorting wrong
-
la|r|ma
edhelas, did you try out cross-browser?
-
moparisthebest
Conversations does it right mixing and all, it would connect to 5222 if it could
-
edhelas
yup, working between chrome and firefox
-
edhelas
disabled on mobile for now
-
moparisthebest
edhelas: would be great to get interop working with conversations too :)
-
edhelas
ping daniel :3
-
la|r|ma
edhelas: what about safari? (I worked with WebRTC for another project and it sucks to get it cross-browser)
-
moparisthebest
Did that xep work as is or did you find rough edges?
-
edhelas
I don't know if there's a WebRTC implementation in Java for Android
-
edhelas
la|r|ma don't know, don't have Macs at home :D
-
la|r|ma
you can use chromes libwebrtc on android
-
moparisthebest
edhelas: actually a conversations fork has webrtc support
-
edhelas
moparisthebest well I basically had everything in the XEPs to do the conversion between SDP and Jingle
-
moparisthebest
Just signaling doesn't use xmpp
-
edhelas
https://github.com/movim/movim/blob/master/lib/SDPtoJingle.php
-
moparisthebest
So take some code from there, implement signaling part with jingle, done
-
la|r|ma
moparisthebest, which fork?
-
moparisthebest
la|r|ma: uuuhhhhh author responded in that issue
-
moparisthebest
Spreedbox or something?
-
Link Mauve
edhelas, I’d really like to interoperate between the desktop and the web, I just sent an email to the Jitsi guys about that.
-
edhelas
sure, would love to try interroperability with Jitsi, and why not Dino one day :)
-
edhelas
moparisthebest I've also anotated the XEP numbers in the file :)
-
la|r|ma
I build a PoC for Jingle with Dino half a year back (only basic unencrypted audio via ice-udp)
-
edhelas
I'm really impatient to show all those nice features interroperable between Dino, Conversations, Movim and others :)
-
edhelas
SàT also for the social part
-
moparisthebest
Would that part of movim work with prosody?
-
edhelas
eheh, nothing relies on the servers :D
-
edhelas
it's a pure client implementation
-
edhelas
well I still have to implement TURN/STUN if the XMPP server offers it
-
moparisthebest
edhelas: will I meant movim in general
-
edhelas
not yet
-
edhelas
still waiting for proper pubsub support
-
moparisthebest
I know it needs pep stuff prosody doesn't have yet
-
moparisthebest
But does plain chat and that webrtc stuff work
-
edhelas
yup
-
moparisthebest
I'll have to try it :)