jdev - 2020-01-02

anyone knows of a totp/hotp client with GUI on linux?

i only find commandline tools where i have to specify the key everytime again

I know only mobile variants, tho that's technically on Linux

lovetox, can’t you store the key somewhere and pipe that into your CLI tool automatically?

Link Mauve, i can imagine this works for you with your 500 keystrokes per minute

i want a simple gui, where all my pages are listed, i click one button and get a new password for that page

Isn't the point that a second physical device is needed?

lovetox, what is a page in this context?

a website

wrap the cli in a script and pop up a dialog with zenity?

ah foundone

https://github.com/search?q=totp+gui has a few results

https://share.hoerist.com/philipp/DCspAml7xkgzvs6E/c8d69a41-a4e2-4a9b-95ed-2639bac231f9.png

see something like that

ahaha netcup

that name is so unfortunate

lovetox: some password managers can do that

Zash: it's not about a second device, it's about the second factor of ownership (having a physical device) in contrast to only knowledge (password)

i now try nginx, apache with its 10 folders, where X conf files live and all get imported on top of each other

im trying since 20 minutes to disable hsts, and i simply cant do it

not feeling it

no join link :/

lovetox, you should join xmpp:programming@chat.cluxia.eu?join, your questions are more on-topic there :) ✏

lies!

i have to add a feature in Gajim where when you copy a groupchat it always makes join links

and "," beeing allowed in URLs does things not make better

:D

this reminds me to make the url regex in Gajim better

something like if a space follows a "," ignore the ","

uh, that sounds like a smart rule

Punctuation at the end might work as a general rule

we have that in Dino now as well, though we don't handle ... yet

one character might be not enough 😉

also remember to count parenthesis if you don't do that already 😉

I wrote some code somewhere that strips brackets if there's a matching bracket just before the url

so (http://example.com/) works without including the )

> count parenthesis > regex -EIMPOSSIBLE

count? no. just (.)(urlregexhere) and `if match[1] == "(" and stuff:endswith(")") then` strip that

http://-.~_!$&'()*+,;=:%40:80%2f::::::@example.com

valid uri :)

but not common ;)

its funny that there is no public available regex that can match all URIs in a text

~though with browsers escaping ( and ) when copying to clipboard, I think it might even be viable to simply forbid () in URL regexes.~ doesn’t seem to be the case (anymore?) ✏

there are some that are better than others

or http://[db8:f00::baa%eth0]:80/

are urls even regular?

probably not

wasn't url parsing one of the first things mozilla rewrote in rust?

so if you want to show clickable uris in your client, first accept you will not catch all valid urls :)

from there you have a easier life ✏

but found testvectors if anyone is interested

lovetox: you usually don't want to catch all URIs because *everything* is a valid uri

You usually want to require a schema from a known set such that test:test is not linked

or urn:xmpp:test should also not be linked

And not everything users expect to be clickable / links are valid URI/URLs either

www.example.com for example

or just example.com

Zash: it is a valid uri, just not what the user expects it to be ;)

jonas’: aaaaaaah

rocketchat highlights every string with one or more dots in it + ends in a list of TLDs they seem to have ✏

that must be fun with random.typos you do on mobile where space and . are next to each other

it doesn’t highlight `foo.usqlhsvue` for example

but since ~everything is a TLD nowadays, it’s nearly indistinguishable

thanks icann, hope it was worth it

surely the root zone is available somewhere, or you can follow the nsec chain

hm, why is the nxdomain reply for A fooouhaeuiae. not signed?

foodnetwork. 86398 IN NSEC football. NS DS RRSIG NSEC foodnetwork. 86398 IN RRSIG ....

looks signed to me

hm, I blame the recursor ✏

I only get NSEC and RRSIG for NS queries

yeah, recursor’s fault.

so is there a good reason to use the traditional tcp connection

instead of websocket, if its available?

there are some points that make websocket very appealing

first, the a websocket message is its own parsable document

which removes a lot of complexity with having to buffer or stream input

depends on your criteria for good reason

I consider "doesn’t need an HTTP stack" a good reason

second, websocket implements its own keepalive mechanism so you dont have to do that yourself with sending whitespaces

jonas’, i dont understand that argument, you need a networking lib

TCP has a keepalive mechanism too, your argument is invalid

lovetox, not talking about libraries

talking about the amount of technical cruft stacked onto each other

"Resource Exhaustion"

ok so there are no real cons to using websocket

I think that *is* a real con.

with bosh it was, that there is too much overhead

and its complex to implement

Everything you stated as positive is negative if you ask me

Zash, message delimiting would be nice for parsing, but using a stream parser is in any case better for limit enforcement

jonas’, your argument depends on the env your develop, i can talk about mine, and adding libsoup as dependency which handles all my http stuff not just websocket

is not a con

lovetox, except that you now have libsoup as dependency

more code, more cpu cycles burnt

you won’t get the Blauer Engel with that

ok i hear you, but thats not a good "con" for me

and dont know what you mean by limit enforcement

but you can set a size limit on a websocket message

lovetox, stanzas which try to exhaust resources in your stanza processing. this isn’t always easily covered with a size limit

for example, if tree depth is very expensive in your processing, you can get very deep messages with few bytes

you can catch this easily when using a stream parser ✏

Let me tell you about the overhead and resource leaks of creating a parser for every message

really? whats so expensive about a parser object?

ah resource leaks

Bunch of allocations and callbacks and stuff for every message vs just feeding an existing parser

good point, but websocket does not exclude stream parsing

i can still do that

but that pro is then gone :)

(and once you have stream parsing, you also lose the size limit benefit)

Websockets would be nicer without the weird open and close elements. And the XOR masking madness

jonas’, about http stack, i think there is no gui client or even xmpp client that is considered modern and can live without a http stack

lovetox, yes, but I don’t need the HTTP stack for the XMPP connection.

just for the HTTP things

Hammer says everything is a nail!

Zash, to be honest, normally you dont have to care about that, your websocket lib should

I don’t want to live in a world where everything is passed over HTTP(S).

jonas’: same

(although it would be a good tale to tell the (grand-)kids)

("back in ye olden days, where things were which were not JSON and not HTTP...")

Tell the story of why the number 443 is hard coded in the network stack

Maybe when everything is inside https we can replace ipv4 with ipv6 and no one will notice

no, HTTP will just hard-codedly connect to 1.1.1.1 which does URL-level routing

Except thanks to SNI and ALPN there's no need to replace IP.

Just route on those

Zash, ^5

in the end, quad1 is cloudflare. everything goes through cloudflare either way.

(okay, this turned way more realistic than I anticipated when I wrote my comment)

Better stop talking before you bring that nightmare closer to reality than it already is ✏

is there a good reason to keep a BOSH impl as non-webclient, if you also have a websocket impl?

I don’t think there’s a good reason to keep a http-based impl on a non-webclient

but if anything, you should probably keep BOSH over websocket. someone said that on-list in the discussion about the 2020 compliance suites

that argument was about page reloads in browsers

BOSH is probably more compatible with random weird web middleboxes

does not concern desktop clients

The kind that the weird websocket XOR masking was meant to defeat and prevent from doing funking weirdness.

lovetox, no

maybe it was at a different place, too

I think someone had some (at least anecdotal) data that BOSH is the most-likely to succeed mechanism in troublesome networks

can’t find it though, and I don’t really want to argue in favour of any http-crap

jonas’, how do you feel about direct tls on port 443?

Zash, similarly bad

but not as bad as websockets

I have it deployed, which means free fuzzing by random web spiders

ALPN even! mod_net_multiplex \o/

i think may people use bosh because they hope to circumvent some firewalls

not sure if websockets can be used for that

depending on the firewall you can get past by having normal xmpp on port 80 or 443, or direct tls, websocket on 443, and bosh should be the most compatible

no probably not, because xmpp protocol is already announced in the header

depends if it's just port based or a full on http proxy

hm, no this should work the http message is tls encrypted

so how would a firewall know its an xmpp server

I specifically wrote XEP-0368 because my work proxy let me connect to any TLS but only if it was on port 443

name in cert being jabber.something or xmpp.something?

yeah but in that case bosh does also not help

and whatever firewall-from-hell they implemented that with is surely some black box that other orgs also have

im still thinking about reasons to keep bosh

moparisthebest, open a change request with the department of ports

I just yell at my desk instead, same effect

my whole websocket code is 120 lines of code

and thats boilerplate included

so from that angle i really love websockets :)

I think like Zash said, there likely exists HTTP middleboxes that would allow through BOSH and not Websocket

lovetox, how much code to tunnel XMPP over DNS?

XMPP over DNS over XMPP ?

XoDoX

Eh, why does searching for TCP over DNS give me HTTP servers?

lovetox, you forgot to count all the thousand lines of code in the HTTP stack on top of TCP

Zash, https://code.kryo.se/iodine/ is the only one I know of

Found now

First hit was https://github.com/boazsegev/iodine

I do use bosh because at my work there is a port based firewall that prevent me to connect to normal XMPP port.