XSF logo XSF Discussion - 2019-08-17


  1. Lance has joined
  2. Nekit has left
  3. Lance has left
  4. UsL has left
  5. wurstsalat has left
  6. jcbrand has left
  7. UsL has joined
  8. Lance has joined
  9. Dele (Mobile) has left
  10. Dele (Mobile) has joined
  11. Dele (Mobile) has left
  12. adityaborikar has joined
  13. UsL has left
  14. Lance has left
  15. arc has left
  16. arc has joined
  17. UsL has joined
  18. lskdjf has left
  19. Lance has joined
  20. Lance has left
  21. Chobbes has left
  22. Lance has joined
  23. neshtaxmpp has joined
  24. Chobbes has joined
  25. pdurbin has joined
  26. Lance has left
  27. Lance has joined
  28. adityaborikar has left
  29. adityaborikar has joined
  30. Lance has left
  31. kokonoe has left
  32. kokonoe has joined
  33. pdurbin has left
  34. pdurbin has joined
  35. Yagiza has joined
  36. Lance has joined
  37. Chobbes has left
  38. david has left
  39. Lance has left
  40. pdurbin has left
  41. pdurbin has joined
  42. david has joined
  43. karoshi has joined
  44. Lance has joined
  45. Lance has left
  46. Lance has joined
  47. pdurbin has left
  48. aj has joined
  49. kokonoe has left
  50. kokonoe has joined
  51. Lance has left
  52. neshtaxmpp has left
  53. Lance has joined
  54. neshtaxmpp has joined
  55. moparisthebest has left
  56. moparisthebest has joined
  57. adityaborikar has left
  58. adityaborikar has joined
  59. jcbrand has joined
  60. Lance has left
  61. Douglas Terabyte has left
  62. sezuan has joined
  63. sezuan has left
  64. sezuan has joined
  65. sezuan has left
  66. sezuan has joined
  67. sezuan has left
  68. sezuan has joined
  69. sezuan has left
  70. sezuan has joined
  71. sezuan has left
  72. sezuan has joined
  73. sezuan has left
  74. sezuan has joined
  75. sezuan has left
  76. sezuan has joined
  77. sezuan has left
  78. sezuan has joined
  79. sezuan has left
  80. sezuan has joined
  81. aj has left
  82. sezuan has left
  83. sezuan has joined
  84. sezuan has left
  85. sezuan has joined
  86. sezuan has left
  87. sezuan has joined
  88. sezuan has left
  89. sezuan has joined
  90. sezuan has left
  91. sezuan has joined
  92. sezuan has left
  93. sezuan has joined
  94. arc has left
  95. arc has joined
  96. sezuan has left
  97. sezuan has joined
  98. sezuan has left
  99. sezuan has joined
  100. sezuan has left
  101. sezuan has joined
  102. sezuan has left
  103. sezuan has joined
  104. sezuan has left
  105. sezuan has joined
  106. pdurbin has joined
  107. sezuan has left
  108. sezuan has joined
  109. sezuan has left
  110. sezuan has joined
  111. sezuan has left
  112. sezuan has joined
  113. sezuan has left
  114. sezuan has joined
  115. sezuan has left
  116. sezuan has joined
  117. sezuan has left
  118. sezuan has joined
  119. sezuan has left
  120. sezuan has joined
  121. sezuan has left
  122. sezuan has joined
  123. sezuan has left
  124. sezuan has joined
  125. sezuan has left
  126. sezuan has joined
  127. sezuan has left
  128. sezuan has joined
  129. sezuan has left
  130. sezuan has joined
  131. pdurbin has left
  132. sezuan has left
  133. sezuan has joined
  134. sezuan has left
  135. sezuan has joined
  136. sezuan has left
  137. sezuan has joined
  138. sezuan has left
  139. sezuan has joined
  140. sezuan has left
  141. sezuan has joined
  142. sezuan has left
  143. sezuan has joined
  144. sezuan has left
  145. sezuan has joined
  146. neshtaxmpp has left
  147. andy has joined
  148. lumi has joined
  149. sezuan has left
  150. sezuan has joined
  151. kokonoe has left
  152. sezuan has left
  153. sezuan has joined
  154. kokonoe has joined
  155. sezuan has left
  156. sezuan has joined
  157. lumi has left
  158. sezuan has left
  159. sezuan has joined
  160. sezuan has left
  161. sezuan has joined
  162. sezuan has left
  163. sezuan has joined
  164. sezuan has left
  165. sezuan has joined
  166. sezuan has left
  167. sezuan has joined
  168. sezuan has left
  169. sezuan has joined
  170. sezuan has left
  171. sezuan has joined
  172. sezuan has left
  173. sezuan has joined
  174. sezuan has left
  175. sezuan has joined
  176. Mikaela has joined
  177. LNJ has joined
  178. sezuan has left
  179. j.r has joined
  180. sezuan has joined
  181. sezuan has left
  182. sezuan has joined
  183. sezuan has left
  184. sezuan has joined
  185. mimi89999 has joined
  186. sezuan has left
  187. sezuan has joined
  188. j.r has left
  189. sezuan has left
  190. sezuan has joined
  191. sezuan has left
  192. sezuan has joined
  193. sezuan has left
  194. sezuan has joined
  195. sezuan has left
  196. sezuan has joined
  197. sezuan has left
  198. sezuan has joined
  199. sezuan has left
  200. sezuan has joined
  201. sezuan has left
  202. aj has joined
  203. mimi89999 has left
  204. mimi89999 has joined
  205. waqas has left
  206. waqas has joined
  207. neshtaxmpp has joined
  208. j.r has joined
  209. wurstsalat has joined
  210. karoshi has left
  211. karoshi has joined
  212. pdurbin has joined
  213. kokonoe has left
  214. kokonoe has joined
  215. j.r has left
  216. j.r has joined
  217. pdurbin has left
  218. alameyo has left
  219. alameyo has joined
  220. lskdjf has joined
  221. alameyo has left
  222. alameyo has joined
  223. j.r has left
  224. j.r has joined
  225. Dele (Mobile) has joined
  226. goffi has joined
  227. Steve Kille has left
  228. vanitasvitae has left
  229. Steve Kille has joined
  230. vanitasvitae has joined
  231. j.r has left
  232. alameyo has left
  233. alameyo has joined
  234. aj has left
  235. neshtaxmpp has left
  236. waqas has left
  237. aj has joined
  238. Nekit has joined
  239. Steve Kille has left
  240. j.r has joined
  241. adityaborikar has left
  242. neshtaxmpp has joined
  243. UsL has left
  244. Dele (Mobile) has left
  245. Dele (Mobile) has joined
  246. j.r has left
  247. adityaborikar has joined
  248. pdurbin has joined
  249. j.r has joined
  250. pdurbin has left
  251. Steve Kille has joined
  252. kokonoe has left
  253. Lance has joined
  254. kokonoe has joined
  255. lovetox_ has joined
  256. lovetox_ has left
  257. pdurbin has joined
  258. Dele (Mobile) has left
  259. Dele (Mobile) has joined
  260. Steve Kille has left
  261. Dele (Mobile) has left
  262. Dele (Mobile) has joined
  263. Dele (Mobile) has left
  264. Dele (Mobile) has joined
  265. eevvoor has joined
  266. Lance has left
  267. rion has left
  268. rion has joined
  269. Steve Kille has joined
  270. pdurbin has left
  271. Dele (Mobile) has left
  272. Dele (Mobile) has joined
  273. adityaborikar has left
  274. Chobbes has joined
  275. adityaborikar has joined
  276. kokonoe has left
  277. adityaborikar has left
  278. kokonoe has joined
  279. Dele (Mobile) has left
  280. neshtaxmpp has left
  281. Dele (Mobile) has joined
  282. adityaborikar has joined
  283. lovetox it is getting ridicoulous with disco info
  284. lovetox i just added a feature, and this triggered hundreds of disco info requests
  285. lovetox this behavior is not scaleable
  286. lovetox we should do something about that
  287. Alex has left
  288. jonas’ server-side caps optimization
  289. Chobbes has left
  290. admin1234 has joined
  291. ralphm lovetox: what's the use case?
  292. rion has left
  293. rion has joined
  294. adityaborikar has left
  295. Dele (Mobile) has left
  296. admin1234 cineva roman pe aici ?
  297. admin1234 Daniel esti roman ?
  298. admin1234 david esti roman ?
  299. admin1234 admin1234 test
  300. admin1234 Kev help my please
  301. admin1234 has left
  302. Nekit has left
  303. Nekit has joined
  304. Yagiza has left
  305. mimi89999 has left
  306. adityaborikar has joined
  307. lovetox ralphm, im not sure what you mean
  308. lovetox not getting ddos'ed when you join some mucs?
  309. Ge0rG There is an experimental prosody module that will cache and auto deliver the disco#info for local clients.
  310. Ge0rG Unfortunately it's full of race conditions and/or doesn't work on prosody stable.
  311. ralphm lovetox: I didn't understand what you meant by you having added a feature.
  312. ralphm But now I do
  313. lovetox ralphm, its even worse
  314. Ge0rG lovetox: it's also the cause of a significant number of mobile wakeups, because there are also clients that join after you.
  315. lovetox because of a unfortunate example in the disco spec
  316. lovetox client add version numbers under the identity name attr
  317. lovetox means every new version of that client, you get spammed with disco info
  318. lovetox even though nothing changed about the caps
  319. Zash This is why I'm sceptical of version numbers in disco/caps
  320. lovetox in my opinion they should not be there, and nothing mandates that a version number has to be there
  321. lovetox its just devs put it there because its in one example i think
  322. lovetox we have 0092 for version
  323. lovetox there is no need to put this in disco info
  324. Zash Yeah. How often do you really need their version number?
  325. lovetox if i need it i request it
  326. lovetox of course it would be nice to have it in there, but the costs outweigh the benefits
  327. mimi89999 has joined
  328. lovetox and yeah i really almost never need the version number
  329. lovetox only if i display some details screen of the contact
  330. lovetox and if i open that its totally fine to send a 0092 request
  331. adityaborikar has left
  332. Ge0rG lovetox: you could submit a PR fixing the example
  333. pdurbin has joined
  334. debacle has joined
  335. adityaborikar has joined
  336. pdurbin has left
  337. ralphm But then it would have to come with a note to discourage the version?
  338. Lance has joined
  339. eevvoor lovetox does in gajim exist a bookmark export? jabber.de lost all bookmarks of some users during a downgrade in july I think. In Berlin_me
  340. eevvoor lovetox does in gajim exist a bookmark export? jabber.de lost all bookmarks of some users during a downgrade in july I think. In Berlin's Meetup MUC was discussed that so such export exists yet.
  341. ralphm Also, I think in practice this isn't as much of an issue: the hash is cached for all users, so only the very first encounter of a new hash will cause a disco request.
  342. ralphm As a developer, yeah, that might be less nice.
  343. Daniel I think lovetox gets the worst of it because he is the one to first have a new hash
  344. Daniel But I've made a note to remove the version from Conversations' cache
  345. ralphm From disco info, you mean?
  346. wurstsalat eevvoor, there was a plugin once, but it didn't get ported to 1.0 I think
  347. adityaborikar has left
  348. eevvoor wurstsalat, ah that is not long ago. cool, so there is something to build on.
  349. Daniel ralphm: yes
  350. ralphm lovetox: which example is it?
  351. wurstsalat eevvoor, https://dev.gajim.org/gajim/gajim-plugins/tree/gajim_0.16/offline_bookmarks
  352. eevvoor thx wurstsalat
  353. adityaborikar has joined
  354. Nekit has left
  355. Nekit has joined
  356. j.r has left
  357. Nekit has left
  358. neshtaxmpp has joined
  359. j.r has joined
  360. lovetox ralphm, https://xmpp.org/extensions/xep-0115.html#howitworks
  361. lovetox scroll a bit down
  362. Lance has left
  363. lovetox has left
  364. lovetox has joined
  365. lovetox yeah and i guess as developer im getting the worst of it
  366. lovetox but in Gajim exist plugins that alter the disco info to announce support for some feature
  367. aj has left
  368. aj has joined
  369. lovetox But either way a server caching disco infos would be great
  370. lovetox i dont see any drawbacks
  371. Lance has joined
  372. curen has joined
  373. pdurbin has joined
  374. Ge0rG lovetox: race conditions when you change the caps at runtime
  375. lovetox do you have an example?
  376. lovetox i dont see a problem there, server gets a request for a hash, either he has it then he answers, or not then he routes the IQ
  377. Zash You're supposed to include the caps hash in the @node when querying, so that should be detectable
  378. Ge0rG Zash: some clients ignore that @node
  379. lovetox Ge0rG, how is this relevant?
  380. Zash "Some clients are broken"
  381. Ge0rG And IIRC we have the issue that the node value can be gamed
  382. lovetox ok you lost me
  383. Ge0rG Where's caps 2.0 when you need it
  384. Lance has left
  385. pdurbin has left
  386. Ge0rG lovetox: https://xmpp.org/extensions/xep-0390.html
  387. Ge0rG https://mail.jabber.org/pipermail/security/2009-July/000812.html
  388. Zash https://modules.prosody.im/mod_inject_ecaps2.html
  389. Ge0rG The implication is that you must not use the cache across JIDs
  390. ralphm Screw that
  391. jonas’ Ge0rG, huh? with XEP-0390 it should be safe, no?
  392. ralphm The whole idea of CAPS is that the hash is not related to the JID
  393. Ge0rG jonas’: I think so. Did you ask waqas yet?
  394. Zash What would you gain by such an attack anyways?
  395. Yagiza has joined
  396. UsL has joined
  397. Ge0rG ralphm: the JID is the security boundary in this case
  398. jonas’ Ge0rG, I did
  399. Ge0rG jonas’: did he answer?
  400. jonas’ I don’t recall
  401. Ge0rG The XSF needs a new seal of approval, "Verified by waqas"
  402. lovetox there is not a single security relevant feature in disco info that comes to mind, that usual clients currently use
  403. lovetox and 0390 is save against all the attacks mentioned?
  404. jonas’ it should betm
  405. jonas’ at least as long as we stay on XML 1.0 :)
  406. debacle has left
  407. UsL has left
  408. lovetox from a quick read, it seems not much work client side
  409. kokonoe has left
  410. kokonoe has joined
  411. flow jonas’, what happens if we don't stay xml 1.0?
  412. Ge0rG flow: is there ecaps2 support in smack yet?
  413. j.r has left
  414. jonas’ flow, then the control characters used as separators become valid codepoints in XML (1.1) character data and are thus unsuitable as separators :)
  415. jonas’ (for the hash function input)
  416. Zash Then what? DER?
  417. Zash Or other TLV-ish thing?
  418. jonas’ prefix them with NUL should be safe
  419. Dele (Mobile) has joined
  420. Ge0rG Is NUL illegal in XML 1.1? I anticipate that class of bugs.
  421. lovetox jonas’, why do we need a separator?
  422. lovetox its not like we are parsing the string we create again later
  423. Ge0rG No, but if you can create ambiguity, you can poison the cache with junk data
  424. lovetox ah i get it
  425. lovetox hm
  426. adityaborikar has left
  427. lovetox but then it seems better to take < as separator but make sure every value
  428. lovetox as it will always be illigal as a value
  429. jonas’ lovetox, < can easily be contained in form field values
  430. lovetox only as lt or?
  431. lovetox not as <
  432. jonas’ lovetox, not to your application.
  433. jonas’ Ge0rG, yes, NUL is illegal in XML 1.1
  434. jonas’ lovetox, we need to look at the codepoint representation, not at the wireformat. the wireformat *could* be littered with &#number;-based escape codes creating *lots* of ambiguity and breaking the hashes. not to mention that many XML libraries won’t even give you access to that.
  435. lovetox you mean the lib converts &lt; to < before you have access to it?
  436. lovetox yes this would be a problem
  437. jonas’ I sure hope the library does that, just like I sure hope that it does the reverse path
  438. lovetox never thought about it, it just works :D
  439. lovetox but yes i think it does also in my case
  440. j.r has joined
  441. jonas’ so, yeah, you need to use a codepoint (or sequence of codepoints) which is invalid in XML character data as separator
  442. jonas’ go-to approach which is safe for XML 1.1 would be NUL + something
  443. aj has left
  444. Douglas Terabyte has joined
  445. Mikaela has left
  446. Mikaela has joined
  447. Mikaela has left
  448. Mikaela has joined
  449. Nekit has joined
  450. goffi has left
  451. ralphm I think it is unlikely we'd ever switch to 1.1.
  452. matlag has left
  453. jonas’ me too
  454. eve has left
  455. eve has joined
  456. neshtaxmpp has left
  457. Alex has joined
  458. neshtaxmpp has joined
  459. pdurbin has joined
  460. arc has left
  461. arc has joined
  462. curen has left
  463. pdurbin has left
  464. sezuan has joined
  465. sezuan has left
  466. j.r has left
  467. sezuan has joined
  468. Ge0rG jonas’: could you make ecaps2 future proof by prepending NUL to each separator?
  469. dele2 has joined
  470. waqas has joined
  471. Dele (Mobile) has left
  472. dele2 has left
  473. Yagiza has left
  474. Yagiza has joined
  475. goffi has joined
  476. Dele (Mobile) has joined
  477. sezuan has left
  478. sezuan has joined
  479. sezuan has left
  480. sezuan has joined
  481. alameyo has left
  482. alameyo has joined
  483. Dele (Mobile) has left
  484. Dele (Mobile) has joined
  485. kokonoe has left
  486. kokonoe has joined
  487. sezuan has left
  488. jonas’ Ge0rG, it’s in the queue
  489. Dele (Mobile) has left
  490. jonas’ I might actually have the diff somewhere
  491. Yagiza has left
  492. Daniel has left
  493. Daniel has joined
  494. j.r has joined
  495. pdurbin has joined
  496. pdurbin has left
  497. kokonoe has left
  498. kokonoe has joined
  499. eevvoor has left
  500. j.r has left
  501. j.r has joined
  502. xnamed has joined
  503. Chobbes has joined
  504. xnamed has left
  505. xnamed has joined
  506. j.r has left
  507. Chobbes has left
  508. Chobbes has joined
  509. j.r has joined
  510. kokonoe has left
  511. madhur.garg has left
  512. Chobbes has left
  513. Chobbes has joined
  514. Chobbes has left
  515. Chobbes has joined
  516. goffi has left
  517. kokonoe has joined
  518. madhur.garg has joined
  519. Chobbes has left
  520. Chobbes has joined
  521. Chobbes has left
  522. Chobbes has joined
  523. Chobbes has left
  524. Chobbes has joined
  525. Chobbes has left
  526. Chobbes has joined
  527. adityaborikar has joined
  528. pdurbin has joined
  529. j.r has left
  530. dele3 has left
  531. pdurbin has left
  532. rion has left
  533. Chobbes has left
  534. valo has left
  535. valo has joined
  536. lovetox has left
  537. larma has left
  538. kokonoe has left
  539. larma has joined
  540. kokonoe has joined
  541. Alex has left
  542. Alex has joined
  543. larma has left
  544. larma has joined
  545. wurstsalat has left
  546. karoshi has left
  547. Chobbes has joined
  548. murabito has left
  549. Tobias has left
  550. murabito has joined
  551. moparisthebest has left
  552. moparisthebest has joined
  553. Chobbes has left
  554. Nekit has left
  555. lskdjf has left
  556. pdurbin has joined
  557. jcbrand has left