jdev - 2021-02-12

  1. mikeye has left

  2. SouL has left

  3. Vaulor has left

  4. stpeter has left

  5. debacle has left

  6. kikuchiyo has left

  7. kikuchiyo has joined

  8. mikeye has joined

  9. oibalos has left

  10. oibalos has joined

  11. mikeye has left

  12. stpeter has joined

  13. SouL has joined

  14. stpeter has left

  15. paul has left

  16. Vaulor has joined

  17. Yagizа has joined

  18. SouL has left

  19. mikeye has joined

  20. SouL has joined

  21. mikeye has left

  22. o2 has joined

  23. wurstsalat has joined

  24. paul has joined

  25. mikeye has joined

  26. lovetox has left

  27. lovetox has joined

  28. mikeye has left

  29. Guus has joined

  30. goffi has joined

  31. Kev has left

  32. Kev has joined

  33. serge90 has left

  34. mikeye has joined

  35. serge90 has joined

  36. marmistrz has joined

  37. asterix has left

  38. asterix has joined

  39. mikeye has left

  40. debacle has joined

  41. floretta has left

  42. floretta has joined

  43. marmistrz has left

  44. Guus has left

  45. Wojtek has joined

  46. marc has left

  47. marc has joined

  48. marmistrz has joined

  49. Guus has joined

  50. belong has left

  51. belong has joined

  52. Guus has left

  53. serge90 has left

  54. kikuchiyo has left

  55. serge90 has joined

  56. mac has joined

  57. mac has left

  58. mac has joined

  59. mac has left

  60. mikeye has joined

  61. debacle has left

  62. belong has left

  63. mikeye has left

  64. belong has joined

  65. Kev has left

  66. Kev has joined

  67. Kev has left

  68. Kev has joined

  69. Kev has left

  70. Kev has joined

  71. adityaborikar has left

  72. adityaborikar has joined

  73. marmistrz has left

  74. oibalos has left

  75. marmistrz has joined

  76. oibalos has joined

  77. alacer has left

  78. alacer has joined

  79. floretta has left

  80. floretta has joined

  81. floretta has left

  82. serge90 has left

  83. serge90 has joined

  84. stpeter has joined

  85. floretta has joined

  86. kikuchiyo has joined

  87. floretta has left

  88. sonny has left

  89. sonny has joined

  90. sonny has left

  91. sonny has joined

  92. Beherit has left

  93. Beherit has joined

  94. sonny has left

  95. sonny has joined

  96. Paul B has left

  97. Paul B has joined

  98. floretta has joined

  99. Wojtek has left

  100. sonny has left

  101. sonny has joined

  102. debacle has joined

  103. floretta has left

  104. floretta has joined

  105. kikuchiyo has left

  106. marmistrz has left

  107. kikuchiyo has joined

  108. marmistrz has joined

  109. Guus has joined

  110. lovetox

    hey question regarding SASL fallbacks

  111. lovetox

    i have a server that offers GSSAPI and PLAIN

  112. lovetox

    GSSAPI login seems broken for the user

  113. lovetox

    right now i have no fallback behavior for any SASL methods

  114. lovetox

    out of fear of downgrade attacks

  115. lovetox

    i wonder how other clients handle this

  116. Sam Whited

    lovetox: I implemented the fallback in Conversations. It ranks the mechanisms based on some percieved "level of security". You can always log in with anything higher than a login method you've used before, but if the server stops offering it and you only see lower mechanisms log in fails and it's up to you to decide what to do (contact the server admin, wait and see if it resolves itself, allow the less secure mechanism, etc.

  117. marmistrz has left

  118. Sam Whited

    In this scenario if GSSAPI is considered "more secure" (for some handwavey definition of "more secure") than PLAIN, if login had succeeded with it once the user wouldn't be able to log in and would have to decide to reset the pinned mechanisms. If they had never been able to log in with it plain would be used happily and if GSSAPI started working one day they'd be silently upgraded.

  119. Sam Whited

    I wrote this up in more detail in https://xmpp.org/extensions/xep-0438.html#pinning

  120. Sam Whited

    (or in https://www.ietf.org/archive/id/draft-ietf-kitten-password-storage-02.html#name-mechanism-pinning which is more or less the same thing)

  121. lovetox

    ok sounds like a lot of work ...

  122. Sam Whited

    Not really, it was a couple of lines of code, but maybe I'm explaining it badly

  123. lovetox

    my library doesnt even offer fallback yet

  124. lovetox

    it simply aborts on the first failure

  125. lovetox

    so i would need to start with that

  126. lovetox

    and then i need in the client the mechanism recording

  127. lovetox

    and the UI to reset it

  128. Sam Whited

    The whole thing is sort of unrelated to fallback actually, the fallback part is just "try the mechanisms in order from highest to lowest". The pinning can actually be done even if there is no fallback

  129. Sam Whited

    Conversations doesn't actually have a UI to reset it, which may or may not be a problem

  130. Sam Whited

    But yah, if you don't have fallback at all yet the docs I linked recommend some fallback orderings (but don't include GSSAPI, sorry)

  131. lovetox

    actually im of the opinion that no fallback is needed

  132. lovetox

    its just that i forgot about GSSAPI

  133. lovetox

    because its not in client hand if it works, it needs some additional setup on the machine

  134. Sam Whited

    yah, I tend to agree

  135. lovetox

    i dont see why i should fallback between scram methods

  136. lovetox

    if the server offers a method that simply does not work, i tend to think admin should get informed by user reports right away

  137. lovetox

    and not we fall silently back and problem is not discovered for eternety

  138. lovetox

    same story with direct and start tls

  139. Sam Whited

    I was thinking more "if the client offers SCRAM-SHA-1 and SCRAM-SHA-256, which should it use?" but if you mean "auth failed" I agree, fallback isn't necessary

  140. lovetox

    there are servers out there that simply have not working connection methods, and never know it because all clients fall back to something else

  141. Sam Whited

    (or rather, I thought you meant fallback in that way, trying another if something fails, but I agree it's probably not something I'd do personally if that's not what you meant)

  142. Zash

    (and that's why adding some fallback for websockets is bad!)

  143. lovetox

    Sam Whited, i think we mean the same

  144. lovetox

    if i try SHA-256 and get back ANY error

  145. Sam Whited

    lovetox: yes, sorry, I was confused about what you meant at first but I agree with you that fallback is not necessary, if you get an error, report it :)

  146. lovetox

    it does not matter which, i would not fallback

  147. Sam Whited

    Which one you select first and which one you select if the server list changes is the important thing to think about.

  148. lovetox

    i have a orderd list of prefered methods in the client right now

  149. lovetox

    but i dont pin them

  150. lovetox

    so i dont record what the server offers right now one day and the next

  151. lovetox

    i agree now that i think just about pinning and not about fallback

  152. lovetox

    its probably trivial to implement

  153. Sam Whited

    At least in my implementation I don't record the server list either, I only store what the last successful login used (well, I store the priority, not the exact mechanism) and then compare to whatever we selected this time

  154. jubalh has left

  155. Sam Whited

    So it's more or less a single if statement before every login and storing a value in the database after a successful login :)

  156. lovetox

    yeah i agree thats trivial

  157. lovetox

    though its also really ... edge edge edge case

  158. lovetox

    i mean thats really paranoid

  159. lovetox

    i think

  160. Sam Whited

    Yah, the idea is to protect against a server compromise and someone downgrading you to plain to steal your password (which you have unwisely re-used for your email and bank accounts), but it's probably not a super high priority issue to patch or anything

  161. marmistrz has joined

  162. o2 has left

  163. lovetox_ has joined

  164. lovetox_ has left

  165. lovetox_ has joined

  166. pasdesushi has joined

  167. pasdesushi has left

  168. lovetox_ has left

  169. lovetox_ has joined

  170. lovetox_ has left

  171. lovetox_ has joined

  172. lovetox_ has left

  173. lovetox_ has joined

  174. lovetox_ has left

  175. paul has left

  176. floretta has left

  177. paul has joined

  178. lovetox_ has joined

  179. lovetox_ has left

  180. lovetox_ has joined

  181. lovetox_ has left

  182. floretta has joined

  183. goffi has left

  184. marmistrz has left

  185. asterix has left

  186. asterix has joined

  187. Stefan has left

  188. Stefan has joined

  189. asterix has left

  190. asterix has joined

  191. marmistrz has joined

  192. marmistrz has left

  193. Kev has left

  194. o2 has joined

  195. lovetox_ has joined

  196. lovetox_ has left

  197. o2 has left

  198. lovetox_ has joined

  199. lovetox

    anyone knows a public server with some transport where i can test the register flow

  200. Yagizа has left

  201. oibalos has left

  202. lovetox_ has left

  203. lovetox_ has joined

  204. lovetox_ has left

  205. lovetox_ has joined

  206. lovetox_ has left

  207. lovetox_ has joined

  208. asterix has left

  209. lovetox_ has left

  210. asterix has joined

  211. stpeter has left

  212. goffi has joined

  213. asterix has left

  214. asterix has joined

  215. kikuchiyo has left

  216. kikuchiyo has joined

  217. theTedd has joined

  218. theTedd

    lovetox, jix.im and jabber.linuxlovers.at have a few transports available

  219. lovetox

    thanks

  220. goffi has left

  221. mikeye has joined

  222. theTedd has left