jdev - 2022-02-09


  1. emus has left

  2. Millesimus has left

  3. thomaslewis has joined

  4. thomaslewis has left

  5. thomaslewis has joined

  6. thomaslewis has left

  7. thomaslewis has joined

  8. thomaslewis has left

  9. Millesimus has joined

  10. rq77 has joined

  11. Millesimus has left

  12. larma has left

  13. thomaslewis has joined

  14. thomaslewis has left

  15. wurstsalat has left

  16. rq77 has left

  17. SouL has left

  18. Millesimus has joined

  19. Millesimus has left

  20. qwestion has joined

  21. thomaslewis has joined

  22. thomaslewis has left

  23. thomaslewis has joined

  24. Millesimus has joined

  25. thomaslewis has left

  26. qwestion has left

  27. debacle has left

  28. qwestion has joined

  29. thomaslewis has joined

  30. Millesimus has left

  31. thomaslewis has left

  32. dormouse has joined

  33. Millesimus has joined

  34. xnamed has left

  35. Millesimus has left

  36. Millesimus has joined

  37. selurvedu has left

  38. Millesimus has left

  39. Kev has left

  40. Kev has joined

  41. Millesimus has joined

  42. Alastair Hogge has left

  43. Alastair Hogge has joined

  44. rafasaurus has left

  45. marc0s has left

  46. marc0s has joined

  47. rafasaurus has joined

  48. Yagizа has joined

  49. rafasaurus has left

  50. thomaslewis has joined

  51. qy has left

  52. qy has joined

  53. dezant has left

  54. dezant has joined

  55. marmistrz has left

  56. Alex has left

  57. Millesimus has left

  58. dezant has left

  59. pasdesushi has joined

  60. Millesimus has joined

  61. msavoritias has joined

  62. rafasaurus has joined

  63. marc0s has left

  64. marc0s has joined

  65. Millesimus has left

  66. Millesimus has joined

  67. qwestion has left

  68. atomicwatch has left

  69. atomicwatch has joined

  70. SouL has joined

  71. pasdesushi has left

  72. Millesimus has left

  73. pasdesushi has joined

  74. nephele has joined

  75. nephele has left

  76. nephele has joined

  77. me9 has joined

  78. serge90 has left

  79. nephele has left

  80. atomicwatch has left

  81. atomicwatch has joined

  82. wurstsalat has joined

  83. rafasaurus has left

  84. me9 has left

  85. rafasaurus has joined

  86. dezant has joined

  87. doge has left

  88. doge has joined

  89. jgart has left

  90. marc0s has left

  91. marc0s has joined

  92. marc0s has left

  93. marc0s has joined

  94. marc0s has left

  95. marc0s has joined

  96. nephele has joined

  97. emus has joined

  98. marc0s has left

  99. marc0s has joined

  100. marc0s has left

  101. marc0s has joined

  102. marc0s has left

  103. marc0s has joined

  104. marc0s has left

  105. marc0s has joined

  106. marc0s has left

  107. marc0s has joined

  108. marc0s has left

  109. marc0s has joined

  110. Laura has left

  111. nephele has left

  112. Laura has joined

  113. Alex has joined

  114. marmistrz has joined

  115. 9lakes has left

  116. marc0s has left

  117. marc0s has joined

  118. marc0s has left

  119. marc0s has joined

  120. 9lakes has joined

  121. homebeach has left

  122. Matrix Traveler (bot) has left

  123. Matrix Traveler (bot) has joined

  124. homebeach has joined

  125. marc0s has left

  126. marc0s has joined

  127. marc0s has left

  128. marc0s has joined

  129. marc0s has left

  130. marc0s has joined

  131. 9lakes has left

  132. marc0s has left

  133. marc0s has joined

  134. 9lakes has joined

  135. Kev has left

  136. 9lakes has left

  137. Kev has joined

  138. Kev has left

  139. Kev has joined

  140. marc0s has left

  141. marc0s has joined

  142. 9lakes has joined

  143. dormouse has left

  144. dormouse has joined

  145. Laura has left

  146. al has joined

  147. Laura has joined

  148. huhn has joined

  149. larma has joined

  150. xecks has joined

  151. mac has joined

  152. huhn has left

  153. marc0s has left

  154. marc0s has joined

  155. larma has left

  156. larma has joined

  157. debacle has joined

  158. huhn has joined

  159. dormouse has left

  160. dormouse has joined

  161. dormouse has left

  162. dormouse has joined

  163. dormouse has left

  164. 9lakes has left

  165. Millesimus has joined

  166. Wojtek has joined

  167. 9lakes has joined

  168. Millesimus has left

  169. 9lakes has left

  170. 9lakes has joined

  171. nephele has joined

  172. nephele has left

  173. nephele has joined

  174. nephele has left

  175. nephele has joined

  176. pep.

    How do I specify something that's still very much in use, when the document has evolved and this thing I want to specify "doesn't exist anymore" on paper but is still pretty much everywhere in practice

  177. thomaslewis has left

  178. mac has left

  179. pep.

    (oldmemo)

  180. Zash

    do we do Historical for those?

  181. pep.

    In particular, omemo vs pubsub#type

  182. pep.

    It's not historical

  183. pep.

    Is it

  184. Millesimus has joined

  185. Zash

    Historical might still technically be for things invented prior to the [XJ]SF and [XJ]EP procedure existed, but I'm thinking it could be used for things developed outside of the XSF and that would be good to have a stable reference for

  186. nephele has left

  187. Zash

    to document "this is a thing that some software are doing"

  188. pep.

    I'd say my case also doesn't fit in there, unless you want me to do the thing first, make it a de-facto standard that everybody will rant about, and then come back with it

  189. Zash

    For O(LD)MEMO that was done as a version so that it went into the attic, tho that seems like a weird thing

  190. Zash

    Or did I misunderstand the whole thing?

  191. jonas’

    pep., put it in the omemo xep?

  192. Zash

    "This is your brain on meetings"

  193. pep.

    jonas’, the eu.siacs ns isn't a thing anymore

  194. pep.

    In the spec

  195. jonas’

    welp

  196. Zash

    Link to https://xmpp.org/extensions/attic/xep-0384-0.3.0.html

  197. pep.

    Can I branch 0384-0.3.0? :P

  198. Millesimus has left

  199. Zash

    See, perhaps it should have been a Historical XEP?

  200. Millesimus has joined

  201. pep.

    Are we allowed to modify histerical xeps?

  202. jonas’

    yes

  203. pep.

    Are we allowed to modify hysterical xeps?

  204. jonas’

    is it worth the hassle to write even down what you intend to write down?

  205. pep.

    I was kinda asked to "because it's not specified" :/

  206. jonas’

    so just don't do pubsub#type for omemo?

  207. jonas’

    then it doesn't have to be specified :)

  208. jonas’

    just migrate to newmemo

  209. pep.

    Yeah in 10 years

  210. jonas’

    *shrug*

  211. larma has left

  212. pep.

    Anyway, it's interesting to know that there's no answer to this

  213. 9lakes has left

  214. jonas’

    the OMEMO spec history is really unfortunate

  215. Zash

    understatement?

  216. pep.

    I think it would be the same with any other(?) if you change/update the NS.. I guess there could be a note in the spec like "In an earlier version of this spec blah blah, you can do this and that"

  217. pep.

    ("update" also meaning ":0" -> ":1" to me)

  218. pep.

    (it's not the same ns anymore)

  219. Zash

    implementation note?

  220. pep.

    Yeah

  221. pep.

    I'll fill something for that. Waiting to be shutdown somewhat..

  222. Wojtek has left

  223. Wojtek has joined

  224. rafasaurus has left

  225. spectrum has left

  226. antranigv has left

  227. pep.

    Also, I'm wondering if it's written anywhere (or should be written anywhere) to prefer purging nodes instead of deleting them

  228. pep.

    So that doesn't ruin the work/expectations of other clients. Say I start filling pubsub#type on my nodes and somebody comes in, yanks everything and recreates the node without the field. Unless obviously that's on purpose

  229. jonas’

    I'd say other clients need to be able to deal with nodes not containing pubsub#tpye

  230. jonas’

    I'd say other clients need to be able to deal with nodes not containing pubsub#type

  231. pep.

    Sure, that's not my point

  232. jonas’

    it seems a bit futile in putting energy in polishing oldmemo that way then

  233. pep.

    Just that it'd kinda ruin the effort a client puts in

  234. pep.

    This doesn't just apply to OMEMO

  235. pep.

    It applies to everything pubsub

  236. al has left

  237. pep.

    Am I the only one seeing this as a generic issue? (purge/delete)

  238. Link Mauve

    I don’t think I’ve ever seen it being an issue.

  239. Link Mauve

    Maybe it is for OMEMO, which I don’t use.

  240. Link Mauve

    But for everything else PubSub, clients do the sensible thing.

  241. pep.

    Let's forget about OMEMO for a sec, that's not the point

  242. pep.

    I should have waited 24h before I started another topic

  243. pep.

    Link Mauve, and hmm, I do remember some devs discovering purge (gajim?) and being happy that it exists and that it can be used instead of delete. Might have been for avatars or the like, I don't remember the details

  244. pep.

    Say for privacy settings and whatnot

  245. pep.

    So if this dev didn't know about this, I don't want to imagine how many people getting into XMPP don't either.

  246. antranigv has joined

  247. 9lakes has joined

  248. Laura has left

  249. jonas’

    pep., I just refused (deferred) to follow your topic change. You would've gotten the same comment if you hadn't written the other line.

  250. 9lakes has left

  251. pep.

    That doesn't answer my question really but ok. Link Mauve does, but I'm not sure I agree that clients "just do the sensible thing" (I have an example with gajim -- I can find logs again -- and gajim is not any client)

  252. pep.

    Or when gajim also used to reset max_items to 1, clearing microblog nodes. Or something similar

  253. pep.

    Mistakes happen, surely, but it'd be nice to guard against them somehow

  254. nephele has joined

  255. Millesimus has left

  256. nephele has left

  257. nephele has joined

  258. pasdesushi has left

  259. pep.

    Would that fit modernxmpp btw? (or anywhere else?) Or will this just live as tribal knowledge

  260. goffi has left

  261. larma has joined

  262. pasdesushi has joined

  263. nephele has left

  264. Laura has joined

  265. doge has left

  266. pasdesushi has left

  267. pasdesushi has joined

  268. homebeach has left

  269. Matrix Traveler (bot) has left

  270. Matrix Traveler (bot) has joined

  271. homebeach has joined

  272. mac has joined

  273. pep. has left

  274. pep. has joined

  275. xnamed has joined

  276. dormouse has joined

  277. Stefan

    Yes, more information in the implementation notes + Appendix H: Revision History. Change namespace to urn:xmpp:omemo:1 -> Change namespace from eu..... to urn:xmpp:omemo:1 This would be very helpful.

  278. mac has left

  279. huhn has left

  280. dormouse has left

  281. xnamed has left

  282. xnamed has joined

  283. Millesimus has joined

  284. nephele has joined

  285. 9lakes has joined

  286. marc0s has left

  287. marc0s has joined

  288. nephele has left

  289. pasdesushi has left

  290. pasdesushi has joined

  291. nephele has joined

  292. nephele has left

  293. nephele has joined

  294. nephele has left

  295. huhn has joined

  296. J Marinaro has left

  297. nephele has joined

  298. mac has joined

  299. transfusion has left

  300. transfusion has joined

  301. nephele has left

  302. nephele has joined

  303. antranigv has left

  304. nephele has left

  305. nephele has joined

  306. dezant has left

  307. huhn has left

  308. marc0s has left

  309. marc0s has joined

  310. nephele has left

  311. nephele has joined

  312. Millesimus has left

  313. nephele has left

  314. dezant has joined

  315. marc0s has left

  316. marc0s has joined

  317. marc0s has left

  318. marc0s has joined

  319. marc0s has left

  320. marc0s has joined

  321. Millesimus has joined

  322. Wojtek has left

  323. Wojtek has joined

  324. 9lakes has left

  325. 9lakes has joined

  326. antranigv has joined

  327. nephele has joined

  328. nephele has left

  329. nephele has joined

  330. pasdesushi has left

  331. nephele has left

  332. nephele has joined

  333. nephele has left

  334. nephele has joined

  335. nephele has left

  336. nephele has joined

  337. pasdesushi has joined

  338. dezant has left

  339. J Marinaro has joined

  340. goffi has joined

  341. PapaTutuWawa has joined

  342. nephele has left

  343. nephele has joined

  344. dezant has joined

  345. atomicwatch has left

  346. cdcode has joined

  347. marc0s has left

  348. marc0s has joined

  349. nephele has left

  350. moparisthebest

    other than gajim and pidgin, is anyone aware of other clients using _xmppconnect ?

  351. 9lakes has left

  352. mac has left

  353. me9 has joined

  354. flow

    don't you have the same issue with the http lookup method?

  355. Zash

    no because https

  356. flow

    ahh, yes

  357. flow

    luckily, smack appears to only implement the http lookup method, and not (yet) _xmppconnect

  358. atomicwatch has joined

  359. dezant has left

  360. 9lakes has joined

  361. moparisthebest

    does it enforce https when doing the lookup ?

  362. Zash

    I suppose there's not much point in adding _xmppconnect checking support to prosodyctl then

  363. moparisthebest

    because indeed you can't trust it with regular http either

  364. cdcode has left

  365. Zash

    Isn't that mandated by whatever defined /.well-known/host-meta ?

  366. Zash

    Beware HTTP redirects tho

  367. moparisthebest

    not much is because this was in those young carefree days when non-TLS was ok!

  368. moparisthebest

    the websocket rfc does say: > Thus, the connection endpoint is still authenticated, and the delegation is secure as long as the Web-host Metadata file is retrieved via HTTPS.

  369. nephele has joined

  370. nephele has left

  371. nephele has joined

  372. nephele has left

  373. huhn has joined

  374. thomaslewis has joined

  375. thomaslewis has left

  376. atomicwatch has left

  377. antranigv has left

  378. atomicwatch has joined

  379. dezant has joined

  380. atomicwatch has left

  381. Wojtek has left

  382. Wojtek has joined

  383. Wojtek has left

  384. Wojtek has joined

  385. atomicwatch has joined

  386. Neustradamus has left

  387. SyrupThinker has joined

  388. me9 has left

  389. marc0s has left

  390. marc0s has joined

  391. PapaTutuWawa has left

  392. Neustradamus has joined

  393. nephele has joined

  394. thomaslewis has joined

  395. nephele has left

  396. nephele has joined

  397. thomaslewis has left

  398. nephele has left

  399. nephele has joined

  400. SyrupThinker has left

  401. nephele has left

  402. nephele has joined

  403. thomaslewis has joined

  404. atomicwatch has left

  405. thomaslewis has left

  406. nephele has left

  407. nephele has joined

  408. nephele has left

  409. nephele has joined

  410. atomicwatch has joined

  411. nephele has left

  412. nephele has joined

  413. nephele has left

  414. nephele has joined

  415. spectrum has joined

  416. nephele has left

  417. cyril has joined

  418. jgart has joined

  419. nephele has joined

  420. nephele has left

  421. nephele has joined

  422. larma has left

  423. nephele has left

  424. nephele has joined

  425. nephele has left

  426. transfusion has left

  427. transfusion has joined

  428. Wojtek has left

  429. Wojtek has joined

  430. antranigv has joined

  431. nephele has joined

  432. nephele has left

  433. me9 has joined

  434. PapaTutuWawa has joined

  435. dezant has left

  436. dezant has joined

  437. marc0s has left

  438. marc0s has joined

  439. marc0s has left

  440. marc0s has joined

  441. selurvedu has joined

  442. lovetox

    sooo, what does this mean, we should not use the dns method?

  443. marc0s has left

  444. marc0s has joined

  445. moparisthebest

    lovetox, well, do you enforce DNSSEC for it now? and how do you validate the certificate ?

  446. mac has joined

  447. selurvedu has left

  448. moparisthebest

    and which if any domain do you send in SNI

  449. moparisthebest

    I expect the answer to be "the websocket library takes care of this" in which case you are vulnerable to MITM

  450. lovetox

    of course we pass the library just the url

  451. lovetox

    there is nothing more to configure

  452. lovetox

    except the protocoll "xmpp"

  453. lovetox

    i could implement the https method, but makes everything again more complicated

  454. nephele has joined

  455. nephele has left

  456. me9 has left

  457. marc0s has left

  458. marc0s has joined

  459. dezant has left

  460. marc0s has left

  461. marc0s has joined

  462. Millesimus has left

  463. mac has left

  464. Millesimus has joined

  465. mac has joined

  466. antranigv has left

  467. moparisthebest

    lovetox, so right now if _xmppconnect.example.org pointed to wss://evil.com/xmpp and evil.com presented a valid cert for evil.com you'd just trust it and go on ?

  468. moparisthebest

    I mean that's what I expect, but it's vulnerable to MITM :(

  469. Link Mauve has left

  470. lovetox

    yes

  471. nephele has joined

  472. moparisthebest

    it's only ok with DNSSEC, so I think I'm going to propose removing the DNS method alltogether from that XEP

  473. Link Mauve has joined

  474. nephele has left

  475. lovetox

    yes, i dont see how any websocket library will support this

  476. Zash

    Tho cache poisoning attacks isn't _that_ easy to pull off

  477. moparisthebest

    if you go https, which of the 2 methods would you pick? XML or json ?

  478. moparisthebest

    (or both?)

  479. marc0s has left

  480. marc0s has joined

  481. lovetox

    json

  482. moparisthebest

    I unfortunately also think that's more sensible

  483. lovetox

    because python, and json maps to python dicts

  484. lovetox

    :)

  485. moparisthebest

    well and which do you think 100% of web clients pick? :/

  486. moparisthebest

    I think I'll also propose getting rid of the XML method and see how that goes :P

  487. moparisthebest

    in the short term you might want to disable DNS websocket discovery to avoid mitm :/

  488. moparisthebest

    wonder what pidgin does and how to get ahold of them...

  489. Zash

    xmpp:devel@conference.pidgin.im?join

  490. larma has joined

  491. moparisthebest

    didn't expect that

  492. Millesimus has left

  493. lovetox

    i also checked another python websocket lib, they also dont support this

  494. lovetox

    tls is always verified against the uri

  495. Link Mauve

    lovetox, note that the JSON method is optional, and the RDF one is mandatory.

  496. moparisthebest

    my rust websocket lib lets me pass in an already open+validated TLS connection, so I *can* validate against the proper domain

  497. Link Mauve

    So some servers (such as JabberFR’s) only provide a RDF file.

  498. moparisthebest

    but no web servers support this

  499. Millesimus has joined

  500. mac has left

  501. moparisthebest

    which is a bigger problem

  502. moparisthebest

    ugh it's true https://datatracker.ietf.org/doc/html/rfc7395#section-4

  503. antranigv has joined

  504. lovetox

    yeah then i will use xml

  505. lovetox

    i will not do 2 https requests

  506. mac has joined

  507. Zash

    (pipeline?)

  508. thomaslewis has joined

  509. rafasaurus has joined

  510. thomaslewis has left

  511. lovetox

    hm i abstracted that pretty good away, i can easily exchange the dns discovery for a https disovery

  512. lovetox

    and push this as a security update

  513. moparisthebest

    nice!

  514. Millesimus has left

  515. nephele has joined

  516. moparisthebest

    oh no, tigase probably supports it, any tigase devs about? https://github.com/tigase/tigase-http-api/blob/2346fb8d4f7adf09707554dc16976f8e87f77548/src/main/groovy/tigase/http/modules/dnswebservice/DnsResolver.java#L168

  517. nephele has left

  518. moparisthebest

    adium...

  519. moparisthebest

    https://github.com/search?p=3&q=_xmppconnect&type=Code if anyone wants to help :)

  520. Zash

    Wojtek, or try xmpp:tigase@muc.tigase.org?join maybe

  521. moparisthebest

    oh no https://github.com/xmppjs/xmpp.js/blob/63aecc49157980f6d68cc58605cf8a3fef664a2a/packages/resolve/lib/dns.js

  522. Zash

    DoH?

  523. moparisthebest

    14 years ago, maybe it's not being used? :crosses-fingers: https://github.com/HSSANN/jabber-net/blob/1b4e73417523426e854dd97b1b73ebc7e2876f0f/jabber/connection/HttpStanzaStream.cs

  524. xnamed has left

  525. moparisthebest

    99% of the github search results are libpurple

  526. Zash

    purple clones?

  527. moparisthebest

    active on the play store https://github.com/BombusMod/BombusMod/blob/6672861668979fb3612ea5933d437f68c1df4931/src/main/java/io/DnsSrvResolver.java

  528. moparisthebest

    it's mostly libpurple forks or copy/pasted into various clients and/or adium forks etc

  529. lovetox

    can one have a cert which is valid for 2 domains, as in a.org and b.org?

  530. Zash

    yes

  531. flow

    yes

  532. Zash

    subjectAlternativeNames can contain any number of identities

  533. lovetox

    ok, i knew wildcard, and subdomains, but was unsure about completely different ones

  534. lovetox

    :)

  535. Zash

    you can put a video of you playing with your cat in there

  536. moparisthebest

    what in the world https://github.com/poVoq/converse_wp/blob/5df09d931fb5b70a0fd854a006c5623240677aeb/conversejs.php#L140

  537. moparisthebest

    lovetox, but SNI only lets you request a cert valid for 1 domain, which is fun

  538. Millesimus has joined

  539. moparisthebest

    active project https://github.com/JustOxlamon/TwoRatChat/blob/8f75fa37f84367d7bc0fe9b61e0ff3554eda8c58/JabberNet-2.1.0.710/jabber/connection/HttpStanzaStream.cs#L107

  540. Link Mauve has left

  541. Link Mauve has joined

  542. mac has left

  543. 9lakes has left

  544. thomaslewis has joined

  545. 9lakes has joined

  546. mac has joined

  547. Wojtek has left

  548. thomaslewis has left

  549. thomaslewis has joined

  550. thomaslewis has left

  551. xnamed has joined

  552. Millesimus has left

  553. pasdesushi has left

  554. marc0s has left

  555. marc0s has joined

  556. thomaslewis has joined

  557. pasdesushi has joined

  558. thomaslewis has left

  559. Millesimus has joined

  560. atomicwatch has left

  561. moparisthebest

    no one has confirmed in pidgin muc yet, but looks to me like it supports BOSH only and is indeed vulnerable to mitm https://keep.imfreedom.org/pidgin/pidgin/file/tip/libpurple/protocols/jabber/bosh.c#l97

  562. moparisthebest

    unfortunately that looks like the biggest attack surface :'(

  563. moparisthebest

    (making at least pidgin, adium, chatty, thunderbird, and what else vulnerable ?)

  564. marc0s has left

  565. marc0s has joined

  566. Yagizа has left

  567. atomicwatch has joined

  568. me9 has joined

  569. msavoritias has left

  570. thomaslewis has joined

  571. thomaslewis has left

  572. Link Mauve has left

  573. thomaslewis has joined

  574. thomaslewis has left

  575. 9lakes has left

  576. 9lakes has joined

  577. Link Mauve has joined

  578. thomaslewis has joined

  579. me9 has left

  580. thomaslewis has left

  581. larma has left

  582. larma has joined

  583. marc0s has left

  584. marc0s has joined

  585. marc0s has left

  586. marc0s has joined

  587. marc0s has left

  588. marc0s has joined

  589. larma has left

  590. larma has joined

  591. larma has left

  592. larma has joined

  593. marmistrz has left

  594. mac has left

  595. homebeach has left

  596. Matrix Traveler (bot) has left

  597. Matrix Traveler (bot) has joined

  598. homebeach has joined

  599. marmistrz has joined

  600. marc0s has left

  601. marc0s has joined

  602. marmistrz has left

  603. atomicwatch has left

  604. PapaTutuWawa has left

  605. Alex has left

  606. thomaslewis has joined

  607. Mjolnir Archon has left

  608. Maranda has left

  609. thomaslewis has left

  610. marc0s has left

  611. marc0s has joined

  612. goffi has left

  613. emus has left

  614. Mjolnir Archon has joined

  615. Maranda has joined

  616. qwestion has joined

  617. SouL has left

  618. SouL has joined

  619. qwestion has left

  620. qwestion has joined

  621. huhn has left

  622. thomaslewis has joined

  623. thomaslewis has left

  624. pasdesushi has left

  625. thomaslewis has joined

  626. thomaslewis has left

  627. thomaslewis has joined

  628. thomaslewis has left

  629. debacle has left

  630. debacle has joined

  631. spectrum has left

  632. wurstsalat has left

  633. Pete has left