-
Kev
I'm here with 30mins to spare. Hoorah.
-
Kev
Now to try and make sure I don't get caught up in the next half hour.
-
m&m
ding!
-
m&m
dong?
-
Tobias
pling
-
m&m
SYN
-
Tobias
FIN
-
m&m
I take it Kev got distracted in that 30 minutes
-
Kev
Boom.
-
ralphm
:-)
-
Kev
I'm here.
-
Kev
I'm really looking forward to everything settling down.
-
Kev
So...
-
Kev
1) Roll call
-
Kev
I'm here. Honest.
-
ralphm
Ik ben er!
-
m&m
presente
-
Tobias
so am i
-
Kev
MattJ: ?
-
MattJ
Present
-
Kev
Marvellous
-
Kev
2) End of CfE on 71.
-
MattJ
I know there is some "experience" in the works, from waqas
-
MattJ
I'll poke him about that
-
Kev
One largeish question here is whether we want to follow through on that W3C feedback we're supposed to be getting.
-
Tobias
and the current feedback has mostly been on how to handle unformatted or other-formatted parts of the message
-
m&m
I agree with stpeter on this one … it won't be realistic to get a formal review from W3C folk
-
MattJ
I think that's fine with me
-
m&m
I remember asking some to look at it informally, and no one squawked
-
m&m
meaning, no one had big problems with the spec
-
Kev
I don't have strong opinions that we need the review - given that it's already just a subset of their work.
-
Tobias
what would be the expected result anyway? we just reduced their basic XHTML, right?
-
ralphm
Tobias: good point
-
m&m
/nod
-
Kev
ralphm: Why was it a good point when he said it, and not when I said it a minute earlier? :p
-
Kev
So, the next question is whether we feel ready to advance it now.
-
ralphm
Kev: it's personal
-
Kev
Course it is.
-
ralphm
waqas: do you feel we need to wait for your experience?
-
waqas
ralphm: To summarize, I have looked at various XHTML-IM client implementations. The number I couldn't compromise was zero.
-
waqas
This includes popular clients, such as Jappix, Pandion, Candy, etc
-
ralphm
So that's good.
-
waqas
(I was looking at web based clients, or clients embedding a browser control)
-
waqas
I was able to compromise them. That's good? :)
-
ralphm
My only personal experiences are with Adium (which does some horrible tricks with URLs) and Gajim (for which I'd prefer disabling specific styles due to Adium and iChat), but on the whole it looks good.
-
Tobias
waqas, in the sense that you found the issue ;)
-
Kev
I might be inclined to think that advancing a spec that no-one has managed to implement sensibly is ill advised.
-
Tobias
Kev, how can we change the situation?
-
m&m
have these projects been approached regarding the compromises?
-
MattJ
More security notes? :)
-
Tobias
MattJ, yeah...bigger warning signs :P
-
Kev
waqas: Did you let any of the projects know about the vulnerabilities?
-
waqas
I also found lots of other security issues in web clients. Needless to say, I wont be trusting them unless I review the code. The only clients I couldn't compromise were too simple to be of much use.
-
Kev
Were they consistent attacks, or did they each have different issues?
-
waqas
Kev: Not yet. I'll be writing emails.
-
ralphm
waqas: I assume most clients just take some locally available browser-like widget and through the incoming message at it?
-
m&m
without scrubbing
-
waqas
They were different issues. The clients I named went to quite some effort to sanitize the data, but left some cases uncovered.
-
waqas
The style attribute is particularly troublesome. All failed to properly sanitize that.
-
Tobias
MattJ, although it's true that the current security consideration aren't quite little
-
Kev
Should we be disallowing style?
-
MattJ
Tobias, indeed
-
ralphm
I suppose the only thing that can be done is file tickets against the respective projects and provide examples of exploiting messages and their unwanted behavior.
-
MattJ
I think the security notices and examples are our best shot at preventing this
-
m&m
yes
-
MattJ
Obviously notifying existing projects is a given, but it's our job to fix the spec, more importantly (if possible)
-
Tobias
right
-
MattJ
Security issues are the nature of HTML and CSS rendering, as the web has taught us :)
-
ralphm
Kev: I don't believe disallowing style will help one bit, in reality
-
Kev
ralphm: That may well be. I'm just asking the obvious question :)
-
MattJ
Thank $AUTHORS we don't support Javascript
-
m&m
disallowing style is effectively disallowing rich text
-
ralphm
MattJ: but do implementations?
-
Kev
MattJ: Don't go there.
-
Tobias
m&m, right...that'd cut the featureset quite down
-
Kev
m&m: Well, yes, kinda. Depending whether we allowed a separate CSS block or whatever. It depends what the big problems here are.
-
Tobias
don't other technologies like HTML based e-mail have similar problems? but that probably isn't standardized, right?
-
waqas
Kev: My recommendation would be to never use blacklists for anything, always whitelists, including for CSS values.
-
ralphm
I we would want to be thorough, we could provide a reference implementation that does do this properly.
-
ralphm
if
-
Kev
ralphm: If we think we're capable of doing it properly :)
-
ralphm
Kev: well yeah, it would take quite some time and effort, too
-
Kev
The consensus (I think) that I'm hearing is that this isn't ready to go to Final and needs attention for security issues.
-
Kev
And that should probably happen on list, rather than here.
-
m&m
+1
-
Tobias
+1
-
ralphm
Kev: yeah
-
ralphm
Kev: at the very least the word 'whitelist' probably should be in there
-
ralphm
essentially something similar to what the universal feed parser does for RSS/ATom
-
ralphm
Atom
-
Kev
OK.
-
Kev
MattJ: You happy with that too?
-
MattJ
wfm
-
Kev
OK.
-
Kev
3) Date of next.
-
Kev
I should be here next Wednesday. Others?
-
waqas
I'm a bit concerned about the state of web clients. I tested around half the webclients in the xmpp.org client list. All except one were vulnerable in one way or another.
-
m&m
SBTSBC WFM
-
ralphm
Kev: point of order, did we formally vote just now?
-
MattJ
Next week wfm
-
Tobias
ditto
-
Kev
ralphm: I believe we just agreed to delay voting until later.
-
ralphm
interesting
-
Kev
That is - we didn't decide to move it to deprecated or final, we left it as it was with an intention to vote later once it's been updated.
-
Kev
But what do I know.
-
Kev
4) Any other business?
-
ralphm
none
-
m&m
nay
-
Tobias
none here for now
-
MattJ
nack
-
Kev
Marvellous.
-
MattJ
I know I've said this before, but in the past week I've been ploughing my spare time into XEP-0313
-
Kev
MattJ: Marvellous :)
-
MattJ
So expect a submission shortly
-
MattJ
There are just a couple of open issues, I'll post those to the list after updating
-
Tobias
!xep 313
-
Kanchil
Tobias: XEP-0313(mam): http://xmpp.org/extensions/xep-0313.html Message Archive Management - Standards Track/Experimental - Updated: 2012-04-18
-
MattJ
m&m, you're also owing a Carbons update for forwarding encapsulation
-
MattJ
but I won't shout at you until I've pushed 313 :)
-
Kev
Anyway ...
-
Kev
I think we're done.
-
MattJ
Yup, thanks
- Kev bangs the gavel.
-
Kev
Thanks all.
-
Tobias
thank you
-
ralphm
Arrrr
-
m&m
Avast! Ye be following the code fer this auspicious day!