XSF Discussion - 2020-03-03


  1. debacle has left
  2. david has joined
  3. Daniel has left
  4. Daniel has joined
  5. Daniel has left
  6. pdurbin has joined
  7. andrey.g has joined
  8. Daniel has joined
  9. Alex has left
  10. Alex has joined
  11. pdurbin has left
  12. karoshi has left
  13. xelxebar has left
  14. larma has left
  15. Daniel has left
  16. xelxebar has joined
  17. Daniel has joined
  18. larma has joined
  19. winfried has left
  20. winfried has joined
  21. winfried has left
  22. winfried has joined
  23. Daniel has left
  24. Daniel has joined
  25. lskdjf has left
  26. strypey has joined
  27. Daniel has left
  28. Daniel has joined
  29. pdurbin has joined
  30. mukt2 has joined
  31. pdurbin has left
  32. mukt2 has left
  33. Yagiza has joined
  34. Nekit has joined
  35. david has left
  36. david has joined
  37. pdurbin has joined
  38. mukt2 has joined
  39. david has left
  40. mukt2 has left
  41. david has joined
  42. moparisthebest has left
  43. moparisthebest has joined
  44. moparisthebest has left
  45. moparisthebest has joined
  46. moparisthebest has left
  47. moparisthebest has joined
  48. andy has joined
  49. strypey has left
  50. Steve Kille has joined
  51. raghavgururajan has joined
  52. pdurbin has left
  53. david has left
  54. david has joined
  55. Daniel has left
  56. Daniel has joined
  57. Jeybe has joined
  58. pdurbin has joined
  59. raghavgururajan has left
  60. raghavgururajan has joined
  61. mukt2 has joined
  62. raghavgururajan has left
  63. raghavgururajan has joined
  64. raghavgururajan has left
  65. raghavgururajan has joined
  66. Tobias has joined
  67. lorddavidiii has joined
  68. raghavgururajan has left
  69. raghavgururajan has joined
  70. raghavgururajan has left
  71. raghavgururajan has joined
  72. mukt2 has left
  73. raghavgururajan has left
  74. raghavgururajan has joined
  75. rion has left
  76. Nekit has left
  77. rion has joined
  78. Nekit has joined
  79. Daniel has left
  80. Daniel has joined
  81. pdurbin has left
  82. LNJ has joined
  83. pdurbin has joined
  84. paul has joined
  85. Steve Kille has left
  86. waqas has left
  87. pdurbin has left
  88. karoshi has joined
  89. raghavgururajan has left
  90. raghavgururajan has joined
  91. raghavgururajan has left
  92. lorddavidiii has left
  93. mukt2 has joined
  94. lorddavidiii has joined
  95. mukt2 has left
  96. Marc has joined
  97. strypey has joined
  98. lorddavidiii has left
  99. lorddavidiii has joined
  100. strypey has left
  101. strypey has joined
  102. lorddavidiii has left
  103. lorddavidiii has joined
  104. paul has left
  105. Maranda has left
  106. Maranda has joined
  107. paul has joined
  108. lorddavidiii has left
  109. krauq has left
  110. lorddavidiii has joined
  111. krauq has joined
  112. lorddavidiii has left
  113. lorddavidiii has joined
  114. krauq has left
  115. pdurbin has joined
  116. mukt2 has joined
  117. strypey has left
  118. strypey has joined
  119. remko has joined
  120. debxwoody has joined
  121. pdurbin has left
  122. debxwoody has left
  123. Steve Kille has joined
  124. mukt2 has left
  125. matkor has left
  126. matkor has joined
  127. krauq has joined
  128. lorddavidiii has left
  129. lorddavidiii has joined
  130. Steve Kille has left
  131. vanitasvitae has left
  132. vanitasvitae has joined
  133. sonny has left
  134. sonny has joined
  135. mukt2 has joined
  136. debacle has joined
  137. mukt2 has left
  138. Zash has left
  139. Zash has joined
  140. Steve Kille has joined
  141. goffi has joined
  142. lorddavidiii has left
  143. eevvoor has joined
  144. lorddavidiii has joined
  145. pdurbin has joined
  146. lskdjf has joined
  147. Daniel has left
  148. Daniel has joined
  149. pdurbin has left
  150. mukt2 has joined
  151. mimi89999 has left
  152. Steve Kille has left
  153. mukt2 has left
  154. Steve Kille has joined
  155. remko has left
  156. remko has joined
  157. strypey has left
  158. strypey has joined
  159. marc0s jonas’, thanks for the lengthy and detailed response about Reminders. I really appreciate it
  160. jonas’ you’re welcome
  161. pdurbin has joined
  162. eta has left
  163. eta has joined
  164. remko has left
  165. strypey has left
  166. strypey has joined
  167. pdurbin has left
  168. LNJ has left
  169. Steve Kille has left
  170. Steve Kille has joined
  171. remko has joined
  172. debacle has left
  173. mukt2 has joined
  174. Maranda has left
  175. Steve Kille has left
  176. lorddavidiii has left
  177. remko has left
  178. lorddavidiii has joined
  179. Maranda has joined
  180. lorddavidiii has left
  181. remko has joined
  182. lorddavidiii has joined
  183. mukt2 has left
  184. strypey has left
  185. remko has left
  186. lskdjf has left
  187. lskdjf has joined
  188. eevvoor has left
  189. remko has joined
  190. remko has left
  191. remko has joined
  192. mimi89999 has joined
  193. remko has left
  194. eta has left
  195. Jeybe has left
  196. remko has joined
  197. Jeybe has joined
  198. Half-Shot[m] has left
  199. pdurbin has joined
  200. pdurbin has left
  201. pdurbin has joined
  202. eta has joined
  203. Steve Kille has joined
  204. mukt2 has joined
  205. lorddavidiii has left
  206. mimi89999 has left
  207. lorddavidiii has joined
  208. mukt2 has left
  209. mimi89999 has joined
  210. eevvoor has joined
  211. raghavgururajan has joined
  212. Marc has left
  213. Marc has joined
  214. andy has left
  215. LNJ has joined
  216. Link Mauve So, since I’m now doing an internship, I probably should change my member status.
  217. Link Mauve How can I do that?
  218. Link Mauve Also hi, I’m adding XEP-0284 support to Inkscape. o/
  219. jonas’ Link Mauve, member status?
  220. Link Mauve jonas’, the employer thing.
  221. jonas’ I just edit my wiki page
  222. Link Mauve I don’t have one yet. :-°
  223. andy has joined
  224. Marc has left
  225. flow Link Mauve, yeah, xep284 is one of my all time favorites (along with the gobby protocol)
  226. Link Mauve What are the differences between them?
  227. flow you may want to compare those two from a protocl perspective, although the gobby one isn't that well documented IIRC
  228. Link Mauve Also with other protocols such as Etherpad’s or CryptPad’s?
  229. flow I have no idea which one is better. But it could be worth putting some research effort into a survey of the existing protocols for collaborative xml editing
  230. Link Mauve Yeah.
  231. Link Mauve And then merge all of the improvements into XEP-0284. :p
  232. pdurbin has left
  233. lorddavidiii has left
  234. Douglas Terabyte has left
  235. Douglas Terabyte has joined
  236. lorddavidiii has joined
  237. raghavgururajan has left
  238. Half-Shot has left
  239. Half-Shot has joined
  240. lorddavidiii has left
  241. eta has left
  242. lorddavidiii has joined
  243. raghavgururajan has joined
  244. lorddavidiii has left
  245. remko has left
  246. remko has joined
  247. Wojtek has joined
  248. raghavgururajan has left
  249. jonas’ stay away from etherpad
  250. jonas’ it uses the broken JavaScript unicode model
  251. jonas’ with UTF-16 everywhere.
  252. moparisthebest if you have to stay away from broken javascript that's like 99% of the web
  253. moparisthebest though now that you mention it, sounds kind of nice...
  254. lorddavidiii has joined
  255. Ge0rG I've heard there are still parts of the web that you can surf with noscript.
  256. raghavgururajan has joined
  257. jonas’ s.j.n for example
  258. jonas’ though you won’t get the fancy charts
  259. Link Mauve jonas’, I’m using XMPP, so UTF-8 everywhere.
  260. jonas’ Link Mauve, the etherpad protocol data model assumes UTF-16
  261. jonas’ so stay away from that
  262. Link Mauve Ok.
  263. Ge0rG nothing is wrong with UTF-16. It's only when you treat it as UCS-2 when things start going wrong.
  264. j.r has left
  265. lorddavidiii has left
  266. lorddavidiii has joined
  267. remko has left
  268. lorddavidiii has left
  269. eta has joined
  270. lorddavidiii has joined
  271. lorddavidiii has left
  272. j.r has joined
  273. lorddavidiii has joined
  274. remko has joined
  275. lorddavidiii has left
  276. lorddavidiii has joined
  277. lorddavidiii has left
  278. lorddavidiii has joined
  279. lorddavidiii has left
  280. lorddavidiii has joined
  281. Jeybe has left
  282. Jeybe has joined
  283. j.r has left
  284. j.r has joined
  285. lorddavidiii has left
  286. lorddavidiii has joined
  287. eta has left
  288. eta has joined
  289. pdurbin has joined
  290. Jeybe has left
  291. Jeybe has joined
  292. Nekit has left
  293. Nekit has joined
  294. lorddavidiii has left
  295. pdurbin has left
  296. lorddavidiii has joined
  297. lorddavidiii has left
  298. lorddavidiii has joined
  299. Steve Kille has left
  300. moparisthebest is https://xmpp.org/software/servers.html a pretty complete list still? does anyone know of widely deployed public servers not on this list?
  301. Link Mauve In the XEP schema, <dl/> is specified as only taking a list of <di/>, each containing a <dt/> and a <dd/>.
  302. Link Mauve The <di/> is not specified in XHTML AFAIK, why is it present here?
  303. Zash XEP ≠ XHTML tho
  304. Link Mauve But the XSLT transfers the <di/> to the generated HTML5.
  305. Link Mauve As is.
  306. Zash That sounds like a bug
  307. Link Mauve Indeed.
  308. Link Mauve I’ll use it in the meantime, but I’ll keep it in mind.
  309. lorddavidiii has left
  310. lorddavidiii has joined
  311. moparisthebest other than prosody, XMPP servers seem very bad about having a place to report security problems...
  312. moparisthebest ejabberd and tigase just link to github issues, openfire links to a forum and public issue tracker
  313. lovetox has joined
  314. jonas’ Link Mauve, feel free to file an issue and/or patch
  315. moparisthebest isode, iot broker, astrachat nothing at all
  316. debacle has joined
  317. moparisthebest apache vysper joins prosody in having a very visible defined way to report security issues
  318. Link Mauve jonas’, https://github.com/xsf/xeps/pull/900
  319. Link Mauve moparisthebest, maybe report them the issue?
  320. moparisthebest and the rest have a developer email/jid if you dig deep enough, which isn't *terrible*
  321. jonas’ Link Mauve, looks good, I’ll add it to the queue for tonight
  322. moparisthebest Link Mauve, right, how :D
  323. Link Mauve moparisthebest, using a normal issue I guess? ^^'
  324. jonas’ moparisthebest, you could use a normal issue to report the problem that there’s no security contact.
  325. jonas’ though github issues nowadays also have a way to be hidden for security reasons, IIRC
  326. Link Mauve Oh, do they?
  327. moparisthebest And the 3 servers that have no way to contact anyone at all?
  328. moparisthebest Email sales?
  329. jonas’ fulldisclosure@seclists.org
  330. remko has left
  331. remko has joined
  332. Steve Kille has joined
  333. raghavgururajan has left
  334. remko has left
  335. remko has joined
  336. Steve Kille has left
  337. waqas has joined
  338. waqas has left
  339. moparisthebest I don't think I care that much, if they don't, why should I
  340. moparisthebest I'll just post it on a blog or something and if they are vulnerable to a 0 day maybe they'll create a security email :)
  341. Kev Isode provides snail mail, phone, fax and email (through web form) contact details on the website, and customers obviously have a support system to submit things through. So I think 'nothing at all' in terms of ability to get in contact is pushing it a little bit.
  342. moparisthebest and no place to report specifically security issues, I guess a web form might go to someone who could handle them, it's not obvious though
  343. Kev Any (provided) contact mechanism would ultimately end up at someone who could handle the query.
  344. Kev Or i fyou think you've found a vulnerability in M-Link, feel free to just bypass that and email me.
  345. Kev Or if you think you've found a vulnerability in M-Link, feel free to just bypass that and email me.
  346. moparisthebest in this case it's more of a general bug that may affect multiple servers, but just in general having a dedicated security problem reporting method is ideal
  347. Kev It's not clear to me that it would be any more useful than the generic contact details, TBH.
  348. Kev I can see how for an OSS project where the contact details are "Open a public ticket viewable by the world" it would be.
  349. jonas’ Kev, in 90% of the companies, the generic contact form will end up at a clueless person who deflects your request or it takes ages to proceed
  350. jonas’ having a proper security contact is superior to that
  351. moparisthebest https://www.apache.org/security/ this is considered a good way to handle it
  352. Kev jonas’: I don't believe that to be true at Isode.
  353. Kev In fact, I believe we have precisely 0 clueless people on staff.
  354. moparisthebest https://www.astrachat.com/Contact.aspx for example only has sales emails
  355. remko has left
  356. remko has joined
  357. jonas’ Kev, but as a security researcher, you can’t know in advance
  358. moparisthebest https://letsencrypt.org/contact/ https://prosody.im/bugs/ also examples of prominent "security issues go here"
  359. Yagiza has left
  360. pdurbin has joined
  361. remko has left
  362. Nekit has left
  363. Syndace has left
  364. pdurbin has left
  365. Wojtek moparisthebest in case of Tigase you can use contact form here https://tigase.net/technical-support (3rd option, though naming may be confusing); besides - due to size and how we handle communication internally we didn't/don't fee that dedicated security channel was required
  366. remko has joined
  367. raghavgururajan has joined
  368. moparisthebest Wojtek, the "If you have our support subscription use the form to send us a message" button?
  369. Wojtek you give example of LE, and even they put a bold: "Please do not write to this address unless your message concerns a security issue with Let’s Encrypt." because, from experience, when you put an email in public place, it's quite often spammed with people ignoring it's intend sadly ¯\_(ツ)_/¯
  370. Wojtek yes, this one (as I said - naming may be confusing - I'll forward your suggestion to relevant person)
  371. moparisthebest ah yea, I would not have used that unless you said :)
  372. Wojtek sooorryyy :-)
  373. Wojtek in general support without subscription should go to github :-)
  374. Wojtek btw. wasn't there a XSF security mailing list?
  375. pep. there is still, maybe. Seems abandonned though
  376. waqas has joined
  377. waqas has left
  378. Wojtek yeah, but it also seems public so I'm not sure it's viable in this case (I *thought* that it wasn't, or at least it's archive wasn't)
  379. Wojtek has left
  380. Wojtek has joined
  381. Wojtek @moparisthebest could you ping me on xmpp:wojtek@tigase.org ?
  382. fippo there was a server-devs mailing list which was created and then used for the dialback bugs.
  383. fippo unused since probably
  384. Dele Olajide has left
  385. Dele Olajide has joined
  386. Marc has joined
  387. Kev Indeed, but is intended for this type of thing.
  388. moparisthebest did those bugs let you crash a good amount of public servers though?
  389. jonas’ that sounds fun
  390. jonas’ crash as in crash?
  391. jonas’ as in total DoS?
  392. moparisthebest this probably shouldn't be public until fixes are out, I've sent it to a number of server devs so far
  393. jonas’ via s2s or authenticated c2s or unauthenticated c2s?
  394. jonas’ yeah
  395. moparisthebest no data leaks, just crash (thankfully?)
  396. jonas’ sounds like something to embargo
  397. fippo no crashes, it was an authentication bypass.
  398. moparisthebest unauthenticated c2s :'( (probably s2s also)
  399. Kev It wasn't a crash, it was an authentication bypass.
  400. Kev Heh.
  401. fippo also just checking: its not a variant of billion laughs?
  402. moparisthebest I haven't heard of that
  403. jonas’ moparisthebest, ouchie
  404. fippo https://en.wikipedia.org/wiki/Billion_laughs_attack -- there was an xmpp variant of it as well
  405. jonas’ moparisthebest, billion laughs is exponential entity expansion. define an XML entity &foo; which expands to &bar;&bar;, define &bar; to expand to &baz;&baz; and so on.
  406. moparisthebest ah, now that's nice, but no this isn't the same
  407. pep. isn't XMPP parsers not supposed to handle undefined entities?
  408. pep. aren't XMPP parsers not supposed to handle undefined entities?
  409. jonas’ pep., and, more importantly, not supposed to handle entity definitions ;)
  410. Kev Indeed.
  411. pep. right
  412. Kev Not quite the same as people doing the right thing, though :)
  413. jonas’ pep., as we all know, people take shortcuts when implementing stuff
  414. jonas’ and if the shortcut is "not configuring your parser properly" ...
  415. pep. Indeed
  416. fippo well, this came up again a couple of years after the initial CVE. Happens all the time.
  417. moparisthebest now those are some hilarious links https://www.cio.com/article/3082084/xml-is-toast-long-live-json.html https://github.com/kubernetes/kubernetes/issues/83253 "CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack"
  418. jonas’ relevant: https://noyaml.com
  419. Dele Olajide has left
  420. andrey.g has left
  421. Wojtek has left
  422. Wojtek has joined
  423. Wojtek has left
  424. Wojtek has joined
  425. Wojtek has left
  426. Wojtek has joined
  427. Wojtek has left
  428. Wojtek has joined
  429. Wojtek has left
  430. Wojtek has joined
  431. raghavgururajan has left
  432. Wojtek has left
  433. Wojtek has joined
  434. Wojtek has left
  435. Ge0rG When I got my dozen of xmpp clients CVE, I contacted all the developers manually
  436. david has left
  437. david has joined
  438. lovetox has left
  439. raghavgururajan has joined
  440. Jeybe has left
  441. Jeybe has joined
  442. Wojtek has joined
  443. eta has left
  444. eta has joined
  445. Syndace has joined
  446. david has left
  447. david has joined
  448. Half-Shot has left
  449. Half-Shot has joined
  450. raghavgururajan has left
  451. raghavgururajan has joined
  452. Nekit has joined
  453. LNJ has left
  454. raghavgururajan has left
  455. APach has left
  456. raghavgururajan has joined
  457. remko has left
  458. andy has left
  459. Tobias has left
  460. j.r has left
  461. j.r has joined
  462. j.r has left
  463. j.r has joined
  464. Nekit has left
  465. j.r has left
  466. j.r has joined
  467. j.r has left
  468. eevvoor has left
  469. j.r has joined
  470. Steve Kille has joined
  471. pdurbin has joined
  472. pdurbin has left
  473. Syndace has left
  474. Marc has left
  475. Marc has joined
  476. Syndace has joined
  477. Steve Kille has left
  478. Marc has left
  479. Marc has joined
  480. paul has left
  481. Marc has left
  482. lorddavidiii has left
  483. robertooo has left
  484. Jeybe has left
  485. robertooo has joined
  486. Jeybe has joined
  487. goffi has left
  488. Wojtek has left
  489. Daniel has left
  490. Daniel has joined
  491. raghavgururajan has left
  492. aj has joined
  493. aj has left
  494. david has left
  495. Daniel has left
  496. Daniel has joined
  497. david has joined
  498. Daniel has left
  499. Jeybe has left
  500. Daniel has joined
  501. pdurbin has joined
  502. xelxebar has left