KevNow to try and make sure I don't get caught up in the next half hour.
ralphmhas joined
MattJhas joined
m&mding!
m&mdong?
Tobiaspling
m&mSYN
TobiasFIN
m&mhas left
m&mhas joined
m&mI take it Kev got distracted in that 30 minutes
KevBoom.
ralphm:-)
KevI'm here.
KevI'm really looking forward to everything settling down.
KevSo...
Kev1) Roll call
KevI'm here. Honest.
ralphmIk ben er!
m&mpresente
Tobiasso am i
KevMattJ: ?
MattJPresent
KevMarvellous
Kev2) End of CfE on 71.
MattJI know there is some "experience" in the works, from waqas
MattJI'll poke him about that
KevOne largeish question here is whether we want to follow through on that W3C feedback we're supposed to be getting.
Tobiasand the current feedback has mostly been on how to handle unformatted or other-formatted parts of the message
m&mI agree with stpeter on this one … it won't be realistic to get a formal review from W3C folk
MattJI think that's fine with me
m&mI remember asking some to look at it informally, and no one squawked
m&mmeaning, no one had big problems with the spec
KevI don't have strong opinions that we need the review - given that it's already just a subset of their work.
Tobiaswhat would be the expected result anyway? we just reduced their basic XHTML, right?
waqashas joined
ralphmTobias: good point
m&m/nod
Kevralphm: Why was it a good point when he said it, and not when I said it a minute earlier? :p
KevSo, the next question is whether we feel ready to advance it now.
ralphmKev: it's personal
KevCourse it is.
ralphmwaqas: do you feel we need to wait for your experience?
waqasralphm: To summarize, I have looked at various XHTML-IM client implementations. The number I couldn't compromise was zero.
waqasThis includes popular clients, such as Jappix, Pandion, Candy, etc
ralphmSo that's good.
waqas(I was looking at web based clients, or clients embedding a browser control)
waqasI was able to compromise them. That's good? :)
ralphmMy only personal experiences are with Adium (which does some horrible tricks with URLs) and Gajim (for which I'd prefer disabling specific styles due to Adium and iChat), but on the whole it looks good.
Tobiaswaqas, in the sense that you found the issue ;)
KevI might be inclined to think that advancing a spec that no-one has managed to implement sensibly is ill advised.
TobiasKev, how can we change the situation?
m&mhave these projects been approached regarding the compromises?
MattJMore security notes? :)
TobiasMattJ, yeah...bigger warning signs :P
Kevwaqas: Did you let any of the projects know about the vulnerabilities?
waqasI also found lots of other security issues in web clients. Needless to say, I wont be trusting them unless I review the code. The only clients I couldn't compromise were too simple to be of much use.
KevWere they consistent attacks, or did they each have different issues?
waqasKev: Not yet. I'll be writing emails.
ralphmwaqas: I assume most clients just take some locally available browser-like widget and through the incoming message at it?
m&mwithout scrubbing
waqasThey were different issues. The clients I named went to quite some effort to sanitize the data, but left some cases uncovered.
waqasThe style attribute is particularly troublesome. All failed to properly sanitize that.
TobiasMattJ, although it's true that the current security consideration aren't quite little
KevShould we be disallowing style?
MattJTobias, indeed
ralphmI suppose the only thing that can be done is file tickets against the respective projects and provide examples of exploiting messages and their unwanted behavior.
MattJI think the security notices and examples are our best shot at preventing this
m&myes
MattJObviously notifying existing projects is a given, but it's our job to fix the spec, more importantly (if possible)
Tobiasright
MattJSecurity issues are the nature of HTML and CSS rendering, as the web has taught us :)
ralphmKev: I don't believe disallowing style will help one bit, in reality
Kevralphm: That may well be. I'm just asking the obvious question :)
MattJThank $AUTHORS we don't support Javascript
m&mdisallowing style is effectively disallowing rich text
ralphmMattJ: but do implementations?
KevMattJ: Don't go there.
Tobiasm&m, right...that'd cut the featureset quite down
Kevm&m: Well, yes, kinda. Depending whether we allowed a separate CSS block or whatever. It depends what the big problems here are.
Tobiasdon't other technologies like HTML based e-mail have similar problems? but that probably isn't standardized, right?
waqasKev: My recommendation would be to never use blacklists for anything, always whitelists, including for CSS values.
ralphmI we would want to be thorough, we could provide a reference implementation that does do this properly.
ralphmif
Kevralphm: If we think we're capable of doing it properly :)
ralphmKev: well yeah, it would take quite some time and effort, too
KevThe consensus (I think) that I'm hearing is that this isn't ready to go to Final and needs attention for security issues.
KevAnd that should probably happen on list, rather than here.
m&m+1
Tobias+1
ralphmKev: yeah
ralphmKev: at the very least the word 'whitelist' probably should be in there
ralphmessentially something similar to what the universal feed parser does for RSS/ATom
ralphmAtom
KevOK.
KevMattJ: You happy with that too?
MattJwfm
KevOK.
Kev3) Date of next.
KevI should be here next Wednesday. Others?
waqasI'm a bit concerned about the state of web clients. I tested around half the webclients in the xmpp.org client list. All except one were vulnerable in one way or another.
m&mSBTSBC WFM
ralphmKev: point of order, did we formally vote just now?
MattJNext week wfm
Tobiasditto
Kevralphm: I believe we just agreed to delay voting until later.
ralphminteresting
KevThat is - we didn't decide to move it to deprecated or final, we left it as it was with an intention to vote later once it's been updated.
KevBut what do I know.
Kev4) Any other business?
ralphmnone
m&mnay
Tobiasnone here for now
MattJnack
KevMarvellous.
MattJI know I've said this before, but in the past week I've been ploughing my spare time into XEP-0313
KevMattJ: Marvellous :)
MattJSo expect a submission shortly
MattJThere are just a couple of open issues, I'll post those to the list after updating