XSF logo XSF Discussion - 2018-11-05


  1. lskdjf has joined
  2. dedekin has left
  3. Guus has left
  4. Guus has joined
  5. Guus has left
  6. alexis has left
  7. alexis has joined
  8. js has joined
  9. Zash has left
  10. js has left
  11. UsL has left
  12. UsL has joined
  13. j.r has joined
  14. l has left
  15. j.r has joined
  16. thorsten has left
  17. thorsten has joined
  18. Zash has left
  19. Lance has joined
  20. vaulor has joined
  21. Kev has left
  22. l has joined
  23. alexis has left
  24. alexis has joined
  25. alexis has left
  26. alexis has joined
  27. j.r has joined
  28. j.r has joined
  29. Lance has left
  30. Guus has joined
  31. waqas has left
  32. Syndace has left
  33. Syndace has joined
  34. Guus has left
  35. Guus has joined
  36. Guus has left
  37. alexis has left
  38. lorddavidiii has left
  39. alacer has joined
  40. alacer has left
  41. alacer has joined
  42. alacer has left
  43. alacer has joined
  44. alacer has left
  45. alacer has joined
  46. mrdoctorwho has left
  47. mrdoctorwho has joined
  48. krauq has left
  49. krauq has joined
  50. SamWhited has left
  51. sonny has joined
  52. Guus has joined
  53. lorddavidiii has joined
  54. j.r has left
  55. j.r has joined
  56. blabla has joined
  57. Guus has left
  58. Guus has joined
  59. Guus has left
  60. Guus has joined
  61. j.r has joined
  62. j.r has joined
  63. Guus has left
  64. Guus has joined
  65. j.r has left
  66. j.r has joined
  67. Guus has left
  68. waqas has joined
  69. Guus has joined
  70. Yagiza has joined
  71. ta has joined
  72. lorddavidiii has left
  73. Guus has left
  74. Guus has joined
  75. ta has left
  76. sonny has joined
  77. Guus has left
  78. ta has left
  79. ta has joined
  80. ta has left
  81. ta has joined
  82. Nekit has joined
  83. j.r has joined
  84. j.r has joined
  85. blabla has left
  86. blabla has left
  87. alacer has left
  88. alacer has joined
  89. moparisthebest has joined
  90. Yagiza has left
  91. lorddavidiii has joined
  92. alacer has left
  93. waqas has left
  94. alacer has joined
  95. j.r has joined
  96. j.r has joined
  97. moparisthebest has joined
  98. moparisthebest has joined
  99. blabla has left
  100. goffi has joined
  101. alacer has left
  102. Nekit has left
  103. Nekit has joined
  104. alacer has joined
  105. j.r has left
  106. j.r has joined
  107. lnj has joined
  108. blabla has joined
  109. labdsf has left
  110. Guus has joined
  111. ralphm has left
  112. labdsf has joined
  113. mimi89999 has joined
  114. Zash has left
  115. goffi has left
  116. goffi has joined
  117. blabla has joined
  118. l has joined
  119. andy has joined
  120. lnj has left
  121. Zash has left
  122. Zash has left
  123. Zash has left
  124. alacer has left
  125. alacer has joined
  126. Zash has joined
  127. Kev has left
  128. UsL has joined
  129. UsL has joined
  130. lorddavidiii has left
  131. lorddavidiii has joined
  132. labdsf has left
  133. labdsf has joined
  134. labdsf has left
  135. labdsf has joined
  136. lskdjf has joined
  137. blabla has left
  138. Nekit has left
  139. Nekit has joined
  140. genofire has left
  141. l has left
  142. l has joined
  143. lskdjf has joined
  144. krauq has joined
  145. krauq has joined
  146. Alex has joined
  147. lskdjf has joined
  148. lorddavidiii has left
  149. Steve Kille has left
  150. Steve Kille has joined
  151. goffi has left
  152. vanitasvitae has left
  153. Nekit has left
  154. Nekit has joined
  155. Steve Kille has left
  156. Guus has left
  157. Guus has joined
  158. ralphm has joined
  159. Guus has left
  160. Tobias has left
  161. Tobias has joined
  162. dwd has joined
  163. rion has left
  164. alacer has left
  165. alacer has joined
  166. rion has left
  167. matlag has left
  168. labdsf has left
  169. l has joined
  170. krauq has left
  171. krauq has joined
  172. alacer has left
  173. blabla has joined
  174. alacer has joined
  175. blabla has joined
  176. ta has left
  177. ThibG has joined
  178. alacer has left
  179. alacer has joined
  180. Valerian has joined
  181. krauq has joined
  182. Valerian has left
  183. Valerian has joined
  184. alacer has left
  185. Seve has left
  186. lskdjf has joined
  187. lskdjf has joined
  188. alacer has joined
  189. rago has joined
  190. lnj has joined
  191. dedekin has joined
  192. daniel has left
  193. daniel has joined
  194. alacer has left
  195. labdsf has joined
  196. alacer has joined
  197. Alex has left
  198. dedekin has left
  199. Valerian has left
  200. Guus has joined
  201. Valerian has joined
  202. Valerian has left
  203. l has left
  204. lskdjf has joined
  205. Yagiza has joined
  206. alacer has left
  207. alacer has joined
  208. ThibG has left
  209. ThibG has joined
  210. alacer has left
  211. alacer has joined
  212. rago has left
  213. Kev has left
  214. rago has joined
  215. mightyBroccoli has left
  216. mightyBroccoli has joined
  217. rion has left
  218. Valerian has joined
  219. Alex has left
  220. dedekin has joined
  221. Zash has left
  222. Nekit has left
  223. Nekit has joined
  224. dwd has left
  225. dwd has joined
  226. Seve has left
  227. ThibG has left
  228. dwd has left
  229. ThibG has joined
  230. dwd has joined
  231. alacer has left
  232. blabla has joined
  233. Syndace has joined
  234. Syndace has joined
  235. l has joined
  236. l has left
  237. alacer has joined
  238. alacer has left
  239. alacer has joined
  240. matlag has left
  241. Guus has left
  242. Guus has joined
  243. Seve has joined
  244. alacer has left
  245. alacer has joined
  246. alacer has left
  247. alacer has joined
  248. j.r has joined
  249. alacer has left
  250. ta has joined
  251. alacer has joined
  252. Valerian has left
  253. Valerian has joined
  254. alacer has left
  255. alacer has joined
  256. Zash has left
  257. rago has left
  258. Zash has left
  259. matlag has left
  260. Valerian has left
  261. Valerian has joined
  262. Valerian has left
  263. Valerian has joined
  264. daniel has left
  265. alacer has left
  266. alacer has joined
  267. alacer has left
  268. alacer has joined
  269. alacer has left
  270. alacer has joined
  271. alacer has left
  272. alacer has joined
  273. ta has left
  274. ta has joined
  275. Valerian has left
  276. Zash has left
  277. MattJ has left
  278. ta has left
  279. ta has joined
  280. lorddavidiii has joined
  281. alacer has left
  282. lskdjf has joined
  283. MattJ has joined
  284. waqas has joined
  285. alacer has joined
  286. dwd has left
  287. alacer has left
  288. andy has left
  289. andy has joined
  290. Alex has left
  291. Yagiza has left
  292. j.r has joined
  293. !xsf_martin has joined
  294. Yagiza has joined
  295. marc has joined
  296. Alex has joined
  297. Alex has left
  298. Alex has joined
  299. rago has left
  300. andy has left
  301. UsL has joined
  302. efrit has joined
  303. jjrh has left
  304. jjrh has joined
  305. lorddavidiii has left
  306. jjrh has left
  307. jjrh has joined
  308. moparisthebest has left
  309. jjrh has left
  310. jjrh has joined
  311. mrdoctorwho has left
  312. mrdoctorwho has joined
  313. ralphm vanitasvitae: done, should be crawled somewhere in the next 30min
  314. jjrh has left
  315. jjrh has joined
  316. moparisthebest has left
  317. blabla has left
  318. jjrh has left
  319. matlag has left
  320. lumi has joined
  321. marc has left
  322. marc has joined
  323. UsL has joined
  324. vanitasvitae ralphm: nice. Thank you very much :)
  325. Alex has left
  326. alacer has joined
  327. jonas’ is there any reason to use a CSPRNG for stanza @id values?
  328. jonas’ (if one checks both @from and @id when associating replies)
  329. SamWhited has left
  330. j.r has left
  331. j.r has joined
  332. Neustradamus has joined
  333. Zash jonas’: Probably overkill, but why not?
  334. jonas’ Zash, takes double the time
  335. jonas’ (when sourced from getrandom())
  336. Zash because syscall?
  337. jonas’ yeah
  338. jonas’ (probably)
  339. Zash jonas’: compared to what? and is it a problem?
  340. efrit has left
  341. Yagiza has left
  342. jonas’ Zash, compared to the mersenne twister
  343. jonas’ we’re revisiting how aioxmpp generates stanza IDs
  344. vanitasvitae has left
  345. dedekin has left
  346. Seve has joined
  347. Ge0rG I wonder what the possible attack vector is. Injecting IQ responses ahead of the actual response? By whom?
  348. Ge0rG Unless you have a smack3 level of stanza correlation, where you just run a packet listener based on the packet ID, ignoring the @from
  349. jonas’ that was my train of thought, too
  350. jonas’ anyone who would be able to inject a reply is on the path anyways and can observe the @from and the @id
  351. jonas’ assuming that s2s authentication and routing in servers works as intended
  352. Ge0rG a bold assumption.
  353. jonas’ so if you can off-path inject stanzas due to broken s2s authentication (but you cannot intercept them entirely), being able to predict stanza IDs would be useful
  354. jonas’ this could work with broken one-way s2s auth, some dialback stuff for example
  355. Ge0rG reminds me of the `Received[s2sout]` debug logs I saw today from my prosody.
  356. jonas’ but uh
  357. Ge0rG s2s directions make me dizzy.
  358. Zash don't look at dialback
  359. lovetox has joined
  360. Ge0rG I won't. Dialback, PubSub and MIX are danger zones I avoid at all costs.
  361. jonas’ so, the attack is rather hard and unlikely (it is more likely that you’ll be able to intercept the sent stanza and send a reply without having to guess the @id) and requires fault in another component
  362. jonas’ huh, putting dialback into the same bucket as pubsub and mix is ... interesting
  363. dedekin has joined
  364. Zash jonas’: having multiple PRNGs available might lead to accidentally using a weak one for something sensitive, and if it's something that can slowly leak state that might be bad
  365. sonny has joined
  366. jonas’ Zash, that’s what sebi is saying
  367. alexde has joined
  368. dedekin has left
  369. Lance has joined
  370. dedekin has joined
  371. matlag has left
  372. sonny has joined
  373. Neustradamus has left
  374. Kev Not reading everything, but predictable IDs are a privacy leak rather than a practical attack, for the most part.
  375. jonas’ how are they a privacy leak?
  376. Kev <message id='sessionstanza4234230498723408974'><body>Sorry, I've only just come online, I've not been ignoring you</...
  377. jonas’ right
  378. jonas’ that’s something different than just predictability though
  379. jonas’ that’s sequential
  380. Kev It's somewhere in between, I think.
  381. jonas’ a mersenne twister is predictable (with enough computing and enough samples), but by seeing a value, you don’t know whether that’s the first, tenth, or 1000th value
  382. Kev It doesn't have to be strictly sequential to have this property.
  383. jonas’ mmm
  384. jonas’ I see your point though
  385. Kev This was mostly a problem for two reasons: 1) People were using 1,2,3... 2) Some libraries are (were?) completely broken and ignored the sender of a stanza as long as the id was expected, so you could inject weird iq responses and they'd trust them.
  386. Kev (2) Is just brokenness
  387. Kev (1) has the unexpected privacy implications.
  388. Ge0rG yaxim is full of (2).
  389. Kev I don't think we need crypto-secure IDs.
  390. Ge0rG Now give me a CVE!
  391. Zash Ge0rG: Weren't there one or more for that already?
  392. Ge0rG Zash: not for that, no
  393. Ge0rG yaxim's got two CVEs so far IIRC.
  394. Zash Ge0rG: I distinctly remember CVE(s) for not checking 'from' on eg roster pushes that affected a *ton* of clients.
  395. Ge0rG Zash: yeah, I think smack wasn't affected or somesuch
  396. Maranda has joined
  397. APach has left
  398. Guus has left
  399. Guus has joined
  400. j.r has left
  401. APach has joined
  402. j.r has joined
  403. !xsf_martin has joined
  404. Yagiza has joined
  405. ralphm has left
  406. valo has joined
  407. guusdk has left
  408. guusdk has joined
  409. Kev has left
  410. guusdk has left
  411. guusdk has joined
  412. dwd has left
  413. Steve Kille has left
  414. Steve Kille has left
  415. lskdjf has joined
  416. l has joined
  417. genofire has joined
  418. lorddavidiii has joined
  419. lorddavidiii has left
  420. ralphm has left
  421. matlag has left
  422. lorddavidiii has joined
  423. !xsf_martin has joined
  424. valo has joined
  425. matlag has left
  426. Alex has joined
  427. Yagiza has left
  428. Alex memberbot is online for accepting your votes on the board & council election
  429. Yagiza has joined
  430. Seve Great! Thank you Alex
  431. Seve And good luck everyone!
  432. Yagiza has left
  433. marc has left
  434. lorddavidiii has left
  435. jonas’ thanks, Alex
  436. lorddavidiii has joined
  437. l has joined
  438. peter has joined
  439. matlag has left
  440. peter has left
  441. SamWhited has left
  442. ralphm has left
  443. 404.city has joined
  444. 404.city has left
  445. peter has joined
  446. 404.city has joined
  447. 404.city has left
  448. sonny has left
  449. Ge0rG Last time I checked, one of the applications was still empty...
  450. sonny has left
  451. jonas’ they’re all non-empty :)
  452. Zash has left
  453. rion has left
  454. UsL has left
  455. UsL has joined
  456. Lance has left
  457. mimi89999 has left
  458. dwd has joined
  459. blabla has joined
  460. dwd has left
  461. Alex there was some hard last minute work happening ;-)
  462. jonas’ as usual..
  463. goffi has left
  464. rion has left
  465. Neustradamus has joined
  466. Valerian has joined
  467. SamWhited has left
  468. jjrh has left
  469. blabla has joined
  470. alexde has left
  471. moparisthebest has joined
  472. alacer has left
  473. ThibG has left
  474. ThibG has joined
  475. Ge0rG has left
  476. Alex has left
  477. Valerian has left
  478. Tobias has left
  479. Tobias has joined
  480. blabla has joined
  481. Lance has joined
  482. blabla has joined
  483. lnj has left
  484. efrit has joined
  485. Steve Kille has joined
  486. marc has joined
  487. Valerian has joined
  488. Alex has joined
  489. tux has left
  490. lumi has left
  491. Alex has left
  492. Alex has joined
  493. Steve Kille has left
  494. blabla has joined
  495. matlag has left
  496. Steve Kille has left
  497. marc has left
  498. Maranda has left
  499. Valerian has left
  500. Valerian has joined
  501. moparisthebest has joined
  502. Zash has left
  503. ThibG has left
  504. ThibG has joined
  505. thorsten has left
  506. thorsten has joined
  507. marc has joined
  508. Zash has left
  509. Kev has left
  510. Nekit has joined
  511. Valerian has left
  512. mightyBroccoli has left
  513. mightyBroccoli has joined
  514. j.r has joined
  515. Kev has left
  516. vanitasvitae has left
  517. j.r has joined
  518. efrit has left
  519. dwd has joined
  520. genofire has left
  521. j.r has joined
  522. thorsten has left
  523. thorsten has joined
  524. j.r has joined
  525. dwd has left
  526. matlag has left
  527. lovetox Gajim uses uuid as id, but i just checked and indeed it does not check the answer adress
  528. lovetox just the id
  529. lovetox how bad is this?
  530. lovetox i guess if someone is in the position to utilize that, then the id doesnt matter anyway because he is a man in the middle?
  531. lovetox hm yeah the chance that another contact guesses the uuid at the exact right time is impossible
  532. j.r has joined
  533. SamWhited has left
  534. efrit has joined
  535. thorsten has left
  536. thorsten has joined
  537. j.r has joined
  538. dedekin has left
  539. dedekin has joined
  540. j.r has joined
  541. dedekin has left
  542. andrey.g has left
  543. Lance has left
  544. andrey.g has joined
  545. Lance has joined
  546. marc has left
  547. lovetox has left
  548. Alex has left
  549. Lance has left
  550. blabla has left
  551. Zash has left
  552. j.r has joined
  553. j.r has joined
  554. thorsten has left
  555. thorsten has joined
  556. Zash has left