How do I specify something that's still very much in use, when the document has evolved and this thing I want to specify "doesn't exist anymore" on paper but is still pretty much everywhere in practice
thomaslewishas left
machas left
pep.
(oldmemo)
Zash
do we do Historical for those?
pep.
In particular, omemo vs pubsub#type
pep.
It's not historical
pep.
Is it
Millesimushas joined
Zash
Historical might still technically be for things invented prior to the [XJ]SF and [XJ]EP procedure existed, but I'm thinking it could be used for things developed outside of the XSF and that would be good to have a stable reference for
nephelehas left
Zash
to document "this is a thing that some software are doing"
pep.
I'd say my case also doesn't fit in there, unless you want me to do the thing first, make it a de-facto standard that everybody will rant about, and then come back with it
Zash
For O(LD)MEMO that was done as a version so that it went into the attic, tho that seems like a weird thing
Zash
Or did I misunderstand the whole thing?
jonas’
pep., put it in the omemo xep?
Zash
"This is your brain on meetings"
pep.
jonas’, the eu.siacs ns isn't a thing anymore
pep.
In the spec
jonas’
welp
Zash
Link to https://xmpp.org/extensions/attic/xep-0384-0.3.0.html
pep.
Can I branch 0384-0.3.0? :P
Millesimushas left
Zash
See, perhaps it should have been a Historical XEP?
is it worth the hassle to write even down what you intend to write down?
pep.
I was kinda asked to "because it's not specified" :/
jonas’
so just don't do pubsub#type for omemo?
jonas’
then it doesn't have to be specified :)
jonas’
just migrate to newmemo
pep.
Yeah in 10 years
jonas’
*shrug*
larmahas left
pep.
Anyway, it's interesting to know that there's no answer to this
9lakeshas left
jonas’
the OMEMO spec history is really unfortunate
Zash
understatement?
pep.
I think it would be the same with any other(?) if you change/update the NS.. I guess there could be a note in the spec like "In an earlier version of this spec blah blah, you can do this and that"
pep.
("update" also meaning ":0" -> ":1" to me)
pep.
(it's not the same ns anymore)
Zash
implementation note?
pep.
Yeah
pep.
I'll fill something for that. Waiting to be shutdown somewhat..
Wojtekhas left
Wojtekhas joined
rafasaurushas left
spectrumhas left
antranigvhas left
pep.
Also, I'm wondering if it's written anywhere (or should be written anywhere) to prefer purging nodes instead of deleting them
pep.
So that doesn't ruin the work/expectations of other clients. Say I start filling pubsub#type on my nodes and somebody comes in, yanks everything and recreates the node without the field. Unless obviously that's on purpose
jonas’
I'd say other clients need to be able to deal with nodes not containing pubsub#tpye✎
jonas’
I'd say other clients need to be able to deal with nodes not containing pubsub#type ✏
pep.
Sure, that's not my point
jonas’
it seems a bit futile in putting energy in polishing oldmemo that way then
pep.
Just that it'd kinda ruin the effort a client puts in
pep.
This doesn't just apply to OMEMO
pep.
It applies to everything pubsub
alhas left
pep.
Am I the only one seeing this as a generic issue? (purge/delete)
Link Mauve
I don’t think I’ve ever seen it being an issue.
Link Mauve
Maybe it is for OMEMO, which I don’t use.
Link Mauve
But for everything else PubSub, clients do the sensible thing.
pep.
Let's forget about OMEMO for a sec, that's not the point
pep.
I should have waited 24h before I started another topic
pep.
Link Mauve, and hmm, I do remember some devs discovering purge (gajim?) and being happy that it exists and that it can be used instead of delete. Might have been for avatars or the like, I don't remember the details
pep.
Say for privacy settings and whatnot
pep.
So if this dev didn't know about this, I don't want to imagine how many people getting into XMPP don't either.
antranigvhas joined
9lakeshas joined
Laurahas left
jonas’
pep., I just refused (deferred) to follow your topic change. You would've gotten the same comment if you hadn't written the other line.
9lakeshas left
pep.
That doesn't answer my question really but ok. Link Mauve does, but I'm not sure I agree that clients "just do the sensible thing" (I have an example with gajim -- I can find logs again -- and gajim is not any client)
pep.
Or when gajim also used to reset max_items to 1, clearing microblog nodes. Or something similar
pep.
Mistakes happen, surely, but it'd be nice to guard against them somehow
nephelehas joined
Millesimushas left
nephelehas left
nephelehas joined
pasdesushihas left
pep.
Would that fit modernxmpp btw? (or anywhere else?) Or will this just live as tribal knowledge
goffihas left
larmahas joined
pasdesushihas joined
nephelehas left
Laurahas joined
dogehas left
pasdesushihas left
pasdesushihas joined
homebeachhas left
Matrix Traveler (bot)has left
Matrix Traveler (bot)has joined
homebeachhas joined
machas joined
pep.has left
pep.has joined
xnamedhas joined
dormousehas joined
Stefan
Yes, more information in the implementation notes + Appendix H: Revision History.
Change namespace to urn:xmpp:omemo:1 ->
Change namespace from eu..... to urn:xmpp:omemo:1
This would be very helpful.
machas left
huhnhas left
dormousehas left
xnamedhas left
xnamedhas joined
Millesimushas joined
nephelehas joined
9lakeshas joined
marc0shas left
marc0shas joined
nephelehas left
pasdesushihas left
pasdesushihas joined
nephelehas joined
nephelehas left
nephelehas joined
nephelehas left
huhnhas joined
J Marinarohas left
nephelehas joined
machas joined
transfusionhas left
transfusionhas joined
nephelehas left
nephelehas joined
antranigvhas left
nephelehas left
nephelehas joined
dezanthas left
huhnhas left
marc0shas left
marc0shas joined
nephelehas left
nephelehas joined
Millesimushas left
nephelehas left
dezanthas joined
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
Millesimushas joined
Wojtekhas left
Wojtekhas joined
9lakeshas left
9lakeshas joined
antranigvhas joined
nephelehas joined
nephelehas left
nephelehas joined
pasdesushihas left
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
pasdesushihas joined
dezanthas left
J Marinarohas joined
goffihas joined
PapaTutuWawahas joined
nephelehas left
nephelehas joined
dezanthas joined
atomicwatchhas left
cdcodehas joined
marc0shas left
marc0shas joined
nephelehas left
moparisthebest
other than gajim and pidgin, is anyone aware of other clients using _xmppconnect ?
9lakeshas left
machas left
me9has joined
flow
don't you have the same issue with the http lookup method?
Zash
no because https
flow
ahh, yes
flow
luckily, smack appears to only implement the http lookup method, and not (yet) _xmppconnect
atomicwatchhas joined
dezanthas left
9lakeshas joined
moparisthebest
does it enforce https when doing the lookup ?
Zash
I suppose there's not much point in adding _xmppconnect checking support to prosodyctl then
moparisthebest
because indeed you can't trust it with regular http either
cdcodehas left
Zash
Isn't that mandated by whatever defined /.well-known/host-meta ?
Zash
Beware HTTP redirects tho
moparisthebest
not much is because this was in those young carefree days when non-TLS was ok!
moparisthebest
the websocket rfc does say:
> Thus, the connection endpoint is still authenticated, and the delegation is secure as long as the Web-host Metadata file is retrieved via HTTPS.
nephelehas joined
nephelehas left
nephelehas joined
nephelehas left
huhnhas joined
thomaslewishas joined
thomaslewishas left
atomicwatchhas left
antranigvhas left
atomicwatchhas joined
dezanthas joined
atomicwatchhas left
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Wojtekhas joined
atomicwatchhas joined
Neustradamushas left
SyrupThinkerhas joined
me9has left
marc0shas left
marc0shas joined
PapaTutuWawahas left
Neustradamushas joined
nephelehas joined
thomaslewishas joined
nephelehas left
nephelehas joined
thomaslewishas left
nephelehas left
nephelehas joined
SyrupThinkerhas left
nephelehas left
nephelehas joined
thomaslewishas joined
atomicwatchhas left
thomaslewishas left
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
atomicwatchhas joined
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
spectrumhas joined
nephelehas left
cyrilhas joined
jgarthas joined
nephelehas joined
nephelehas left
nephelehas joined
larmahas left
nephelehas left
nephelehas joined
nephelehas left
transfusionhas left
transfusionhas joined
Wojtekhas left
Wojtekhas joined
antranigvhas joined
nephelehas joined
nephelehas left
me9has joined
PapaTutuWawahas joined
dezanthas left
dezanthas joined
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
selurveduhas joined
lovetox
sooo, what does this mean, we should not use the dns method?
marc0shas left
marc0shas joined
moparisthebest
lovetox, well, do you enforce DNSSEC for it now? and how do you validate the certificate ?
machas joined
selurveduhas left
moparisthebest
and which if any domain do you send in SNI
moparisthebest
I expect the answer to be "the websocket library takes care of this" in which case you are vulnerable to MITM
lovetox
of course we pass the library just the url
lovetox
there is nothing more to configure
lovetox
except the protocoll "xmpp"
lovetox
i could implement the https method, but makes everything again more complicated
nephelehas joined
nephelehas left
me9has left
marc0shas left
marc0shas joined
dezanthas left
marc0shas left
marc0shas joined
Millesimushas left
machas left
Millesimushas joined
machas joined
antranigvhas left
moparisthebest
lovetox, so right now if _xmppconnect.example.org pointed to wss://evil.com/xmpp and evil.com presented a valid cert for evil.com you'd just trust it and go on ?
moparisthebest
I mean that's what I expect, but it's vulnerable to MITM :(
Link Mauvehas left
lovetox
yes
nephelehas joined
moparisthebest
it's only ok with DNSSEC, so I think I'm going to propose removing the DNS method alltogether from that XEP
Link Mauvehas joined
nephelehas left
lovetox
yes, i dont see how any websocket library will support this
Zash
Tho cache poisoning attacks isn't _that_ easy to pull off
moparisthebest
if you go https, which of the 2 methods would you pick? XML or json ?
moparisthebest
(or both?)
marc0shas left
marc0shas joined
lovetox
json
moparisthebest
I unfortunately also think that's more sensible
lovetox
because python, and json maps to python dicts
lovetox
:)
moparisthebest
well and which do you think 100% of web clients pick? :/
moparisthebest
I think I'll also propose getting rid of the XML method and see how that goes :P
moparisthebest
in the short term you might want to disable DNS websocket discovery to avoid mitm :/
moparisthebest
wonder what pidgin does and how to get ahold of them...
Zash
xmpp:devel@conference.pidgin.im?join
larmahas joined
moparisthebest
didn't expect that
Millesimushas left
lovetox
i also checked another python websocket lib, they also dont support this
lovetox
tls is always verified against the uri
Link Mauve
lovetox, note that the JSON method is optional, and the RDF one is mandatory.
moparisthebest
my rust websocket lib lets me pass in an already open+validated TLS connection, so I *can* validate against the proper domain
Link Mauve
So some servers (such as JabberFR’s) only provide a RDF file.
hm i abstracted that pretty good away, i can easily exchange the dns discovery for a https disovery
lovetox
and push this as a security update
moparisthebest
nice!
Millesimushas left
nephelehas joined
moparisthebest
oh no, tigase probably supports it, any tigase devs about?
https://github.com/tigase/tigase-http-api/blob/2346fb8d4f7adf09707554dc16976f8e87f77548/src/main/groovy/tigase/http/modules/dnswebservice/DnsResolver.java#L168
nephelehas left
moparisthebest
adium...
moparisthebest
https://github.com/search?p=3&q=_xmppconnect&type=Code if anyone wants to help :)
Zash
Wojtek, or try xmpp:tigase@muc.tigase.org?join maybe
moparisthebest
oh no https://github.com/xmppjs/xmpp.js/blob/63aecc49157980f6d68cc58605cf8a3fef664a2a/packages/resolve/lib/dns.js
Zash
DoH?
moparisthebest
14 years ago, maybe it's not being used? :crosses-fingers: https://github.com/HSSANN/jabber-net/blob/1b4e73417523426e854dd97b1b73ebc7e2876f0f/jabber/connection/HttpStanzaStream.cs
xnamedhas left
moparisthebest
99% of the github search results are libpurple
Zash
purple clones?
moparisthebest
active on the play store https://github.com/BombusMod/BombusMod/blob/6672861668979fb3612ea5933d437f68c1df4931/src/main/java/io/DnsSrvResolver.java
moparisthebest
it's mostly libpurple forks or copy/pasted into various clients and/or adium forks etc
lovetox
can one have a cert which is valid for 2 domains, as in a.org and b.org?
Zash
yes
flow
yes
Zash
subjectAlternativeNames can contain any number of identities
lovetox
ok, i knew wildcard, and subdomains, but was unsure about completely different ones
lovetox
:)
Zash
you can put a video of you playing with your cat in there
moparisthebest
what in the world https://github.com/poVoq/converse_wp/blob/5df09d931fb5b70a0fd854a006c5623240677aeb/conversejs.php#L140
moparisthebest
lovetox, but SNI only lets you request a cert valid for 1 domain, which is fun
Millesimushas joined
moparisthebest
active project https://github.com/JustOxlamon/TwoRatChat/blob/8f75fa37f84367d7bc0fe9b61e0ff3554eda8c58/JabberNet-2.1.0.710/jabber/connection/HttpStanzaStream.cs#L107
Link Mauvehas left
Link Mauvehas joined
machas left
9lakeshas left
thomaslewishas joined
9lakeshas joined
machas joined
Wojtekhas left
thomaslewishas left
thomaslewishas joined
thomaslewishas left
xnamedhas joined
Millesimushas left
pasdesushihas left
marc0shas left
marc0shas joined
thomaslewishas joined
pasdesushihas joined
thomaslewishas left
Millesimushas joined
atomicwatchhas left
moparisthebest
no one has confirmed in pidgin muc yet, but looks to me like it supports BOSH only and is indeed vulnerable to mitm https://keep.imfreedom.org/pidgin/pidgin/file/tip/libpurple/protocols/jabber/bosh.c#l97
moparisthebest
unfortunately that looks like the biggest attack surface :'(
moparisthebest
(making at least pidgin, adium, chatty, thunderbird, and what else vulnerable ?)