jdev - 2020-01-02

  1. lovetox

    anyone knows of a totp/hotp client with GUI on linux?

  2. lovetox

    i only find commandline tools where i have to specify the key everytime again

  3. Zash

    I know only mobile variants, tho that's technically on Linux

  4. Link Mauve

    lovetox, can’t you store the key somewhere and pipe that into your CLI tool automatically?

  5. lovetox

    Link Mauve, i can imagine this works for you with your 500 keystrokes per minute

  6. lovetox

    i want a simple gui, where all my pages are listed, i click one button and get a new password for that page

  7. Zash

    Isn't the point that a second physical device is needed?

  8. Link Mauve

    lovetox, what is a page in this context?

  9. lovetox

    a website

  10. Zash

    wrap the cli in a script and pop up a dialog with zenity?

  11. lovetox

    ah foundone

  12. Zash

    https://github.com/search?q=totp+gui has a few results

  13. lovetox


  14. lovetox

    see something like that

  15. jonas’

    ahaha netcup

  16. jonas’

    that name is so unfortunate

  17. larma

    lovetox: some password managers can do that

  18. larma

    Zash: it's not about a second device, it's about the second factor of ownership (having a physical device) in contrast to only knowledge (password)

  19. lovetox

    i now try nginx, apache with its 10 folders, where X conf files live and all get imported on top of each other

  20. lovetox

    im trying since 20 minutes to disable hsts, and i simply cant do it

  21. lovetox

    not feeling it

  22. jonas’

    lovetox, you should join programming@chat.cluxia.eu, your questions are more on-topic there :)

  23. lovetox

    no join link :/

  24. jonas’

    lovetox, you should join xmpp:programming@chat.cluxia.eu?join, your questions are more on-topic there :)

  25. jonas’


  26. lovetox

    i have to add a feature in Gajim where when you copy a groupchat it always makes join links

  27. lovetox

    and "," beeing allowed in URLs does things not make better

  28. lovetox


  29. lovetox

    this reminds me to make the url regex in Gajim better

  30. lovetox

    something like if a space follows a "," ignore the ","

  31. jonas’

    uh, that sounds like a smart rule

  32. Zash

    Punctuation at the end might work as a general rule

  33. lovetox starts to look at the code for that

  34. larma

    we have that in Dino now as well, though we don't handle ... yet

  35. larma

    one character might be not enough 😉

  36. larma

    also remember to count parenthesis if you don't do that already 😉

  37. Zash

    I wrote some code somewhere that strips brackets if there's a matching bracket just before the url

  38. Zash

    so (http://example.com/) works without including the )

  39. jonas’

    > count parenthesis > regex -EIMPOSSIBLE

  40. Zash

    count? no. just (.)(urlregexhere) and `if match[1] == "(" and stuff:endswith(")") then` strip that

  41. lovetox


  42. lovetox

    valid uri :)

  43. jonas’

    but not common ;)

  44. jonas’

    though with browsers escaping ( and ) when copying to clipboard, I think it might even be viable to simply forbid () in URL regexes.

  45. lovetox

    its funny that there is no public available regex that can match all URIs in a text

  46. jonas’

    ~though with browsers escaping ( and ) when copying to clipboard, I think it might even be viable to simply forbid () in URL regexes.~ doesn’t seem to be the case (anymore?)

  47. lovetox

    there are some that are better than others

  48. Zash

    or http://[db8:f00::baa%eth0]:80/

  49. Zash

    are urls even regular?

  50. jonas’

    probably not

  51. Zash

    wasn't url parsing one of the first things mozilla rewrote in rust?

  52. lovetox

    so if you want to show clickable uris in your client, first accept you will not catch all valid urls :)

  53. lovetox

    from there you have a easier live

  54. lovetox

    from there you have a easier life

  55. lovetox

    but found testvectors if anyone is interested

  56. larma

    lovetox: you usually don't want to catch all URIs because *everything* is a valid uri

  57. larma

    You usually want to require a schema from a known set such that test:test is not linked

  58. larma

    or urn:xmpp:test should also not be linked

  59. Zash

    And not everything users expect to be clickable / links are valid URI/URLs either

  60. Zash

    www.example.com for example

  61. Zash

    or just example.com

  62. jonas’

    rocketchat highlights every string with one or more dots in it

  63. larma

    Zash: it is a valid uri, just not what the user expects it to be ;)

  64. Zash

    jonas’: aaaaaaah

  65. jonas’

    rocketchat highlights every string with one or more dots in it + ends in a list of TLDs they seem to have

  66. Zash

    that must be fun with random.typos you do on mobile where space and . are next to each other

  67. jonas’

    it doesn’t highlight `foo.usqlhsvue` for example

  68. jonas’

    but since ~everything is a TLD nowadays, it’s nearly indistinguishable

  69. Zash

    thanks icann, hope it was worth it

  70. Zash

    surely the root zone is available somewhere, or you can follow the nsec chain

  71. jonas’

    hm, why is the nxdomain reply for A fooouhaeuiae. not signed?

  72. Zash

    foodnetwork. 86398 IN NSEC football. NS DS RRSIG NSEC foodnetwork. 86398 IN RRSIG ....

  73. Zash

    looks signed to me

  74. jonas’

    hm, I blame the resolver

  75. jonas’

    hm, I blame the recursor

  76. jonas’

    I only get NSEC and RRSIG for NS queries

  77. jonas’

    yeah, recursor’s fault.

  78. lovetox

    so is there a good reason to use the traditional tcp connection

  79. lovetox

    instead of websocket, if its available?

  80. lovetox

    there are some points that make websocket very appealing

  81. lovetox

    first, the a websocket message is its own parsable document

  82. lovetox

    which removes a lot of complexity with having to buffer or stream input

  83. jonas’

    depends on your criteria for good reason

  84. jonas’

    I consider "doesn’t need an HTTP stack" a good reason

  85. lovetox

    second, websocket implements its own keepalive mechanism so you dont have to do that yourself with sending whitespaces

  86. lovetox

    jonas’, i dont understand that argument, you need a networking lib

  87. Zash

    TCP has a keepalive mechanism too, your argument is invalid

  88. jonas’

    lovetox, not talking about libraries

  89. jonas’

    talking about the amount of technical cruft stacked onto each other

  90. jonas’

    "Resource Exhaustion"

  91. lovetox

    ok so there are no real cons to using websocket

  92. jonas’

    I think that *is* a real con.

  93. lovetox

    with bosh it was, that there is too much overhead

  94. lovetox

    and its complex to implement

  95. Zash

    Everything you stated as positive is negative if you ask me

  96. jonas’

    Zash, message delimiting would be nice for parsing, but using a stream parser is in any case better for limit enforcement

  97. lovetox

    jonas’, your argument depends on the env your develop, i can talk about mine, and adding libsoup as dependency which handles all my http stuff not just websocket

  98. lovetox

    is not a con

  99. jonas’

    lovetox, except that you now have libsoup as dependency

  100. jonas’

    more code, more cpu cycles burnt

  101. jonas’

    you won’t get the Blauer Engel with that

  102. lovetox

    ok i hear you, but thats not a good "con" for me

  103. lovetox

    and dont know what you mean by limit enforcement

  104. lovetox

    but you can set a size limit on a websocket message

  105. jonas’

    lovetox, stanzas which try to exhaust resources in your stanza processing. this isn’t always easily covered with a size limit

  106. jonas’

    for example, if tree depth is very expensive in your processing, you can get very deep messages with few bytes

  107. jonas’

    you can catch this easily when using a stream paresr

  108. jonas’

    you can catch this easily when using a stream parser

  109. Zash

    Let me tell you about the overhead and resource leaks of creating a parser for every message

  110. lovetox

    really? whats so expensive about a parser object?

  111. lovetox

    ah resource leaks

  112. Zash

    Bunch of allocations and callbacks and stuff for every message vs just feeding an existing parser

  113. lovetox

    good point, but websocket does not exclude stream parsing

  114. lovetox

    i can still do that

  115. lovetox

    but that pro is then gone :)

  116. jonas’

    (and once you have stream parsing, you also lose the size limit benefit)

  117. Zash

    Websockets would be nicer without the weird open and close elements. And the XOR masking madness

  118. lovetox

    jonas’, about http stack, i think there is no gui client or even xmpp client that is considered modern and can live without a http stack

  119. jonas’

    lovetox, yes, but I don’t need the HTTP stack for the XMPP connection.

  120. jonas’

    just for the HTTP things

  121. Zash

    Hammer says everything is a nail!

  122. lovetox

    Zash, to be honest, normally you dont have to care about that, your websocket lib should

  123. jonas’

    I don’t want to live in a world where everything is passed over HTTP(S).

  124. Zash

    jonas’: same

  125. jonas’

    (although it would be a good tale to tell the (grand-)kids)

  126. jonas’

    ("back in ye olden days, where things were which were not JSON and not HTTP...")

  127. Zash

    Tell the story of why the number 443 is hard coded in the network stack

  128. pulkomandy

    Maybe when everything is inside https we can replace ipv4 with ipv6 and no one will notice

  129. jonas’

    no, HTTP will just hard-codedly connect to which does URL-level routing

  130. Zash

    Except thanks to SNI and ALPN there's no need to replace IP.

  131. Zash

    Just route on those

  132. jonas’

    Zash, ^5

  133. jonas’

    in the end, quad1 is cloudflare. everything goes through cloudflare either way.

  134. jonas’

    (okay, this turned way more realistic than I anticipated when I wrote my comment)

  135. Zash

    Better stop talking before you bring that nightmare closer to really than it already is

  136. Zash

    Better stop talking before you bring that nightmare closer to reality than it already is

  137. lovetox

    is there a good reason to keep a BOSH impl as non-webclient, if you also have a websocket impl?

  138. jonas’

    I don’t think there’s a good reason to keep a http-based impl on a non-webclient

  139. jonas’

    but if anything, you should probably keep BOSH over websocket. someone said that on-list in the discussion about the 2020 compliance suites

  140. lovetox

    that argument was about page reloads in browsers

  141. Zash

    BOSH is probably more compatible with random weird web middleboxes

  142. lovetox

    does not concern desktop clients

  143. Zash

    The kind that the weird websocket XOR masking was meant to defeat and prevent from doing funking weirdness.

  144. jonas’

    lovetox, no

  145. jonas’

    maybe it was at a different place, too

  146. jonas’

    I think someone had some (at least anecdotal) data that BOSH is the most-likely to succeed mechanism in troublesome networks

  147. jonas’

    can’t find it though, and I don’t really want to argue in favour of any http-crap

  148. Zash

    jonas’, how do you feel about direct tls on port 443?

  149. jonas’

    Zash, similarly bad

  150. jonas’

    but not as bad as websockets

  151. Zash

    I have it deployed, which means free fuzzing by random web spiders

  152. Zash

    ALPN even! mod_net_multiplex \o/

  153. lovetox

    i think may people use bosh because they hope to circumvent some firewalls

  154. lovetox

    not sure if websockets can be used for that

  155. Zash

    depending on the firewall you can get past by having normal xmpp on port 80 or 443, or direct tls, websocket on 443, and bosh should be the most compatible

  156. lovetox

    no probably not, because xmpp protocol is already announced in the header

  157. Zash

    depends if it's just port based or a full on http proxy

  158. lovetox

    hm, no this should work the http message is tls encrypted

  159. lovetox

    so how would a firewall know its an xmpp server

  160. moparisthebest

    I specifically wrote XEP-0368 because my work proxy let me connect to any TLS but only if it was on port 443

  161. Zash

    name in cert being jabber.something or xmpp.something?

  162. lovetox

    yeah but in that case bosh does also not help

  163. moparisthebest

    and whatever firewall-from-hell they implemented that with is surely some black box that other orgs also have

  164. lovetox

    im still thinking about reasons to keep bosh

  165. Zash

    moparisthebest, open a change request with the department of ports

  166. moparisthebest

    I just yell at my desk instead, same effect

  167. lovetox

    my whole websocket code is 120 lines of code

  168. lovetox

    and thats boilerplate included

  169. lovetox

    so from that angle i really love websockets :)

  170. moparisthebest

    I think like Zash said, there likely exists HTTP middleboxes that would allow through BOSH and not Websocket

  171. Zash

    lovetox, how much code to tunnel XMPP over DNS?

  172. moparisthebest

    XMPP over DNS over XMPP ?

  173. moparisthebest


  174. Zash

    Eh, why does searching for TCP over DNS give me HTTP servers?

  175. jonas’

    lovetox, you forgot to count all the thousand lines of code in the HTTP stack on top of TCP

  176. moparisthebest

    Zash, https://code.kryo.se/iodine/ is the only one I know of

  177. Zash

    Found now

  178. Zash

    First hit was https://github.com/boazsegev/iodine

  179. asterix

    I do use bosh because at my work there is a port based firewall that prevent me to connect to normal XMPP port.