jdev - 2021-02-12


  1. mikeye has left
  2. SouL has left
  3. Vaulor has left
  4. stpeter has left
  5. debacle has left
  6. kikuchiyo has left
  7. kikuchiyo has joined
  8. mikeye has joined
  9. oibalos has left
  10. oibalos has joined
  11. mikeye has left
  12. stpeter has joined
  13. SouL has joined
  14. stpeter has left
  15. paul has left
  16. Vaulor has joined
  17. Yagizа has joined
  18. SouL has left
  19. mikeye has joined
  20. SouL has joined
  21. mikeye has left
  22. o2 has joined
  23. wurstsalat has joined
  24. paul has joined
  25. mikeye has joined
  26. lovetox has left
  27. lovetox has joined
  28. mikeye has left
  29. Guus has joined
  30. goffi has joined
  31. Kev has left
  32. Kev has joined
  33. serge90 has left
  34. mikeye has joined
  35. serge90 has joined
  36. marmistrz has joined
  37. asterix has left
  38. asterix has joined
  39. mikeye has left
  40. debacle has joined
  41. floretta has left
  42. floretta has joined
  43. marmistrz has left
  44. Guus has left
  45. Wojtek has joined
  46. marc has left
  47. marc has joined
  48. marmistrz has joined
  49. Guus has joined
  50. belong has left
  51. belong has joined
  52. Guus has left
  53. serge90 has left
  54. kikuchiyo has left
  55. serge90 has joined
  56. mac has joined
  57. mac has left
  58. mac has joined
  59. mac has left
  60. mikeye has joined
  61. debacle has left
  62. belong has left
  63. mikeye has left
  64. belong has joined
  65. Kev has left
  66. Kev has joined
  67. Kev has left
  68. Kev has joined
  69. Kev has left
  70. Kev has joined
  71. adityaborikar has left
  72. adityaborikar has joined
  73. marmistrz has left
  74. oibalos has left
  75. marmistrz has joined
  76. oibalos has joined
  77. alacer has left
  78. alacer has joined
  79. floretta has left
  80. floretta has joined
  81. floretta has left
  82. serge90 has left
  83. serge90 has joined
  84. stpeter has joined
  85. floretta has joined
  86. kikuchiyo has joined
  87. floretta has left
  88. sonny has left
  89. sonny has joined
  90. sonny has left
  91. sonny has joined
  92. Beherit has left
  93. Beherit has joined
  94. sonny has left
  95. sonny has joined
  96. Paul B has left
  97. Paul B has joined
  98. floretta has joined
  99. Wojtek has left
  100. sonny has left
  101. sonny has joined
  102. debacle has joined
  103. floretta has left
  104. floretta has joined
  105. kikuchiyo has left
  106. marmistrz has left
  107. kikuchiyo has joined
  108. marmistrz has joined
  109. Guus has joined
  110. lovetox hey question regarding SASL fallbacks
  111. lovetox i have a server that offers GSSAPI and PLAIN
  112. lovetox GSSAPI login seems broken for the user
  113. lovetox right now i have no fallback behavior for any SASL methods
  114. lovetox out of fear of downgrade attacks
  115. lovetox i wonder how other clients handle this
  116. Sam Whited lovetox: I implemented the fallback in Conversations. It ranks the mechanisms based on some percieved "level of security". You can always log in with anything higher than a login method you've used before, but if the server stops offering it and you only see lower mechanisms log in fails and it's up to you to decide what to do (contact the server admin, wait and see if it resolves itself, allow the less secure mechanism, etc.
  117. marmistrz has left
  118. Sam Whited In this scenario if GSSAPI is considered "more secure" (for some handwavey definition of "more secure") than PLAIN, if login had succeeded with it once the user wouldn't be able to log in and would have to decide to reset the pinned mechanisms. If they had never been able to log in with it plain would be used happily and if GSSAPI started working one day they'd be silently upgraded.
  119. Sam Whited I wrote this up in more detail in https://xmpp.org/extensions/xep-0438.html#pinning
  120. Sam Whited (or in https://www.ietf.org/archive/id/draft-ietf-kitten-password-storage-02.html#name-mechanism-pinning which is more or less the same thing)
  121. lovetox ok sounds like a lot of work ...
  122. Sam Whited Not really, it was a couple of lines of code, but maybe I'm explaining it badly
  123. lovetox my library doesnt even offer fallback yet
  124. lovetox it simply aborts on the first failure
  125. lovetox so i would need to start with that
  126. lovetox and then i need in the client the mechanism recording
  127. lovetox and the UI to reset it
  128. Sam Whited The whole thing is sort of unrelated to fallback actually, the fallback part is just "try the mechanisms in order from highest to lowest". The pinning can actually be done even if there is no fallback
  129. Sam Whited Conversations doesn't actually have a UI to reset it, which may or may not be a problem
  130. Sam Whited But yah, if you don't have fallback at all yet the docs I linked recommend some fallback orderings (but don't include GSSAPI, sorry)
  131. lovetox actually im of the opinion that no fallback is needed
  132. lovetox its just that i forgot about GSSAPI
  133. lovetox because its not in client hand if it works, it needs some additional setup on the machine
  134. Sam Whited yah, I tend to agree
  135. lovetox i dont see why i should fallback between scram methods
  136. lovetox if the server offers a method that simply does not work, i tend to think admin should get informed by user reports right away
  137. lovetox and not we fall silently back and problem is not discovered for eternety
  138. lovetox same story with direct and start tls
  139. Sam Whited I was thinking more "if the client offers SCRAM-SHA-1 and SCRAM-SHA-256, which should it use?" but if you mean "auth failed" I agree, fallback isn't necessary
  140. lovetox there are servers out there that simply have not working connection methods, and never know it because all clients fall back to something else
  141. Sam Whited (or rather, I thought you meant fallback in that way, trying another if something fails, but I agree it's probably not something I'd do personally if that's not what you meant)
  142. Zash (and that's why adding some fallback for websockets is bad!)
  143. lovetox Sam Whited, i think we mean the same
  144. lovetox if i try SHA-256 and get back ANY error
  145. Sam Whited lovetox: yes, sorry, I was confused about what you meant at first but I agree with you that fallback is not necessary, if you get an error, report it :)
  146. lovetox it does not matter which, i would not fallback
  147. Sam Whited Which one you select first and which one you select if the server list changes is the important thing to think about.
  148. lovetox i have a orderd list of prefered methods in the client right now
  149. lovetox but i dont pin them
  150. lovetox so i dont record what the server offers right now one day and the next
  151. lovetox i agree now that i think just about pinning and not about fallback
  152. lovetox its probably trivial to implement
  153. Sam Whited At least in my implementation I don't record the server list either, I only store what the last successful login used (well, I store the priority, not the exact mechanism) and then compare to whatever we selected this time
  154. jubalh has left
  155. Sam Whited So it's more or less a single if statement before every login and storing a value in the database after a successful login :)
  156. lovetox yeah i agree thats trivial
  157. lovetox though its also really ... edge edge edge case
  158. lovetox i mean thats really paranoid
  159. lovetox i think
  160. Sam Whited Yah, the idea is to protect against a server compromise and someone downgrading you to plain to steal your password (which you have unwisely re-used for your email and bank accounts), but it's probably not a super high priority issue to patch or anything
  161. marmistrz has joined
  162. o2 has left
  163. lovetox_ has joined
  164. lovetox_ has left
  165. lovetox_ has joined
  166. pasdesushi has joined
  167. pasdesushi has left
  168. lovetox_ has left
  169. lovetox_ has joined
  170. lovetox_ has left
  171. lovetox_ has joined
  172. lovetox_ has left
  173. lovetox_ has joined
  174. lovetox_ has left
  175. paul has left
  176. floretta has left
  177. paul has joined
  178. lovetox_ has joined
  179. lovetox_ has left
  180. lovetox_ has joined
  181. lovetox_ has left
  182. floretta has joined
  183. goffi has left
  184. marmistrz has left
  185. asterix has left
  186. asterix has joined
  187. Stefan has left
  188. Stefan has joined
  189. asterix has left
  190. asterix has joined
  191. marmistrz has joined
  192. marmistrz has left
  193. Kev has left
  194. o2 has joined
  195. lovetox_ has joined
  196. lovetox_ has left
  197. o2 has left
  198. lovetox_ has joined
  199. lovetox anyone knows a public server with some transport where i can test the register flow
  200. Yagizа has left
  201. oibalos has left
  202. lovetox_ has left
  203. lovetox_ has joined
  204. lovetox_ has left
  205. lovetox_ has joined
  206. lovetox_ has left
  207. lovetox_ has joined
  208. asterix has left
  209. lovetox_ has left
  210. asterix has joined
  211. stpeter has left
  212. goffi has joined
  213. asterix has left
  214. asterix has joined
  215. kikuchiyo has left
  216. kikuchiyo has joined
  217. theTedd has joined
  218. theTedd lovetox, jix.im and jabber.linuxlovers.at have a few transports available
  219. lovetox thanks
  220. goffi has left
  221. mikeye has joined
  222. theTedd has left