pep.How do I specify something that's still very much in use, when the document has evolved and this thing I want to specify "doesn't exist anymore" on paper but is still pretty much everywhere in practice
thomaslewishas left
machas left
pep.(oldmemo)
Zashdo we do Historical for those?
pep.In particular, omemo vs pubsub#type
pep.It's not historical
pep.Is it
Millesimushas joined
ZashHistorical might still technically be for things invented prior to the [XJ]SF and [XJ]EP procedure existed, but I'm thinking it could be used for things developed outside of the XSF and that would be good to have a stable reference for
nephelehas left
Zashto document "this is a thing that some software are doing"
pep.I'd say my case also doesn't fit in there, unless you want me to do the thing first, make it a de-facto standard that everybody will rant about, and then come back with it
ZashFor O(LD)MEMO that was done as a version so that it went into the attic, tho that seems like a weird thing
ZashOr did I misunderstand the whole thing?
jonas’pep., put it in the omemo xep?
Zash"This is your brain on meetings"
pep.jonas’, the eu.siacs ns isn't a thing anymore
pep.In the spec
jonas’welp
ZashLink to https://xmpp.org/extensions/attic/xep-0384-0.3.0.html
pep.Can I branch 0384-0.3.0? :P
Millesimushas left
ZashSee, perhaps it should have been a Historical XEP?
jonas’is it worth the hassle to write even down what you intend to write down?
pep.I was kinda asked to "because it's not specified" :/
jonas’so just don't do pubsub#type for omemo?
jonas’then it doesn't have to be specified :)
jonas’just migrate to newmemo
pep.Yeah in 10 years
jonas’*shrug*
larmahas left
pep.Anyway, it's interesting to know that there's no answer to this
9lakeshas left
jonas’the OMEMO spec history is really unfortunate
Zashunderstatement?
pep.I think it would be the same with any other(?) if you change/update the NS.. I guess there could be a note in the spec like "In an earlier version of this spec blah blah, you can do this and that"
pep.("update" also meaning ":0" -> ":1" to me)
pep.(it's not the same ns anymore)
Zashimplementation note?
pep.Yeah
pep.I'll fill something for that. Waiting to be shutdown somewhat..
Wojtekhas left
Wojtekhas joined
rafasaurushas left
spectrumhas left
antranigvhas left
pep.Also, I'm wondering if it's written anywhere (or should be written anywhere) to prefer purging nodes instead of deleting them
pep.So that doesn't ruin the work/expectations of other clients. Say I start filling pubsub#type on my nodes and somebody comes in, yanks everything and recreates the node without the field. Unless obviously that's on purpose
jonas’I'd say other clients need to be able to deal with nodes not containing pubsub#tpye✎
jonas’I'd say other clients need to be able to deal with nodes not containing pubsub#type ✏
pep.Sure, that's not my point
jonas’it seems a bit futile in putting energy in polishing oldmemo that way then
pep.Just that it'd kinda ruin the effort a client puts in
pep.This doesn't just apply to OMEMO
pep.It applies to everything pubsub
alhas left
pep.Am I the only one seeing this as a generic issue? (purge/delete)
Link MauveI don’t think I’ve ever seen it being an issue.
Link MauveMaybe it is for OMEMO, which I don’t use.
Link MauveBut for everything else PubSub, clients do the sensible thing.
pep.Let's forget about OMEMO for a sec, that's not the point
pep.I should have waited 24h before I started another topic
pep.Link Mauve, and hmm, I do remember some devs discovering purge (gajim?) and being happy that it exists and that it can be used instead of delete. Might have been for avatars or the like, I don't remember the details
pep.Say for privacy settings and whatnot
pep.So if this dev didn't know about this, I don't want to imagine how many people getting into XMPP don't either.
antranigvhas joined
9lakeshas joined
Laurahas left
jonas’pep., I just refused (deferred) to follow your topic change. You would've gotten the same comment if you hadn't written the other line.
9lakeshas left
pep.That doesn't answer my question really but ok. Link Mauve does, but I'm not sure I agree that clients "just do the sensible thing" (I have an example with gajim -- I can find logs again -- and gajim is not any client)
pep.Or when gajim also used to reset max_items to 1, clearing microblog nodes. Or something similar
pep.Mistakes happen, surely, but it'd be nice to guard against them somehow
nephelehas joined
Millesimushas left
nephelehas left
nephelehas joined
pasdesushihas left
pep.Would that fit modernxmpp btw? (or anywhere else?) Or will this just live as tribal knowledge
goffihas left
larmahas joined
pasdesushihas joined
nephelehas left
Laurahas joined
dogehas left
pasdesushihas left
pasdesushihas joined
homebeachhas left
Matrix Traveler (bot)has left
Matrix Traveler (bot)has joined
homebeachhas joined
machas joined
pep.has left
pep.has joined
xnamedhas joined
dormousehas joined
StefanYes, more information in the implementation notes + Appendix H: Revision History.
Change namespace to urn:xmpp:omemo:1 ->
Change namespace from eu..... to urn:xmpp:omemo:1
This would be very helpful.
machas left
huhnhas left
dormousehas left
xnamedhas left
xnamedhas joined
Millesimushas joined
nephelehas joined
9lakeshas joined
marc0shas left
marc0shas joined
nephelehas left
pasdesushihas left
pasdesushihas joined
nephelehas joined
nephelehas left
nephelehas joined
nephelehas left
huhnhas joined
J Marinarohas left
nephelehas joined
machas joined
transfusionhas left
transfusionhas joined
nephelehas left
nephelehas joined
antranigvhas left
nephelehas left
nephelehas joined
dezanthas left
huhnhas left
marc0shas left
marc0shas joined
nephelehas left
nephelehas joined
Millesimushas left
nephelehas left
dezanthas joined
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
Millesimushas joined
Wojtekhas left
Wojtekhas joined
9lakeshas left
9lakeshas joined
antranigvhas joined
nephelehas joined
nephelehas left
nephelehas joined
pasdesushihas left
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
pasdesushihas joined
dezanthas left
J Marinarohas joined
goffihas joined
PapaTutuWawahas joined
nephelehas left
nephelehas joined
dezanthas joined
atomicwatchhas left
cdcodehas joined
marc0shas left
marc0shas joined
nephelehas left
moparisthebestother than gajim and pidgin, is anyone aware of other clients using _xmppconnect ?
9lakeshas left
machas left
me9has joined
flowdon't you have the same issue with the http lookup method?
Zashno because https
flowahh, yes
flowluckily, smack appears to only implement the http lookup method, and not (yet) _xmppconnect
atomicwatchhas joined
dezanthas left
9lakeshas joined
moparisthebestdoes it enforce https when doing the lookup ?
ZashI suppose there's not much point in adding _xmppconnect checking support to prosodyctl then
moparisthebestbecause indeed you can't trust it with regular http either
cdcodehas left
ZashIsn't that mandated by whatever defined /.well-known/host-meta ?
ZashBeware HTTP redirects tho
moparisthebestnot much is because this was in those young carefree days when non-TLS was ok!
moparisthebestthe websocket rfc does say:
> Thus, the connection endpoint is still authenticated, and the delegation is secure as long as the Web-host Metadata file is retrieved via HTTPS.
nephelehas joined
nephelehas left
nephelehas joined
nephelehas left
huhnhas joined
thomaslewishas joined
thomaslewishas left
atomicwatchhas left
antranigvhas left
atomicwatchhas joined
dezanthas joined
atomicwatchhas left
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Wojtekhas joined
atomicwatchhas joined
Neustradamushas left
SyrupThinkerhas joined
me9has left
marc0shas left
marc0shas joined
PapaTutuWawahas left
Neustradamushas joined
nephelehas joined
thomaslewishas joined
nephelehas left
nephelehas joined
thomaslewishas left
nephelehas left
nephelehas joined
SyrupThinkerhas left
nephelehas left
nephelehas joined
thomaslewishas joined
atomicwatchhas left
thomaslewishas left
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
atomicwatchhas joined
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
spectrumhas joined
nephelehas left
cyrilhas joined
jgarthas joined
nephelehas joined
nephelehas left
nephelehas joined
larmahas left
nephelehas left
nephelehas joined
nephelehas left
transfusionhas left
transfusionhas joined
Wojtekhas left
Wojtekhas joined
antranigvhas joined
nephelehas joined
nephelehas left
me9has joined
PapaTutuWawahas joined
dezanthas left
dezanthas joined
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
selurveduhas joined
lovetoxsooo, what does this mean, we should not use the dns method?
marc0shas left
marc0shas joined
moparisthebestlovetox, well, do you enforce DNSSEC for it now? and how do you validate the certificate ?
machas joined
selurveduhas left
moparisthebestand which if any domain do you send in SNI
moparisthebestI expect the answer to be "the websocket library takes care of this" in which case you are vulnerable to MITM
lovetoxof course we pass the library just the url
lovetoxthere is nothing more to configure
lovetoxexcept the protocoll "xmpp"
lovetoxi could implement the https method, but makes everything again more complicated
nephelehas joined
nephelehas left
me9has left
marc0shas left
marc0shas joined
dezanthas left
marc0shas left
marc0shas joined
Millesimushas left
machas left
Millesimushas joined
machas joined
antranigvhas left
moparisthebestlovetox, so right now if _xmppconnect.example.org pointed to wss://evil.com/xmpp and evil.com presented a valid cert for evil.com you'd just trust it and go on ?
moparisthebestI mean that's what I expect, but it's vulnerable to MITM :(
Link Mauvehas left
lovetoxyes
nephelehas joined
moparisthebestit's only ok with DNSSEC, so I think I'm going to propose removing the DNS method alltogether from that XEP
Link Mauvehas joined
nephelehas left
lovetoxyes, i dont see how any websocket library will support this
ZashTho cache poisoning attacks isn't _that_ easy to pull off
moparisthebestif you go https, which of the 2 methods would you pick? XML or json ?
moparisthebest(or both?)
marc0shas left
marc0shas joined
lovetoxjson
moparisthebestI unfortunately also think that's more sensible
lovetoxbecause python, and json maps to python dicts
lovetox:)
moparisthebestwell and which do you think 100% of web clients pick? :/
moparisthebestI think I'll also propose getting rid of the XML method and see how that goes :P
moparisthebestin the short term you might want to disable DNS websocket discovery to avoid mitm :/
moparisthebestwonder what pidgin does and how to get ahold of them...
Zashxmpp:devel@conference.pidgin.im?join
larmahas joined
moparisthebestdidn't expect that
Millesimushas left
lovetoxi also checked another python websocket lib, they also dont support this
lovetoxtls is always verified against the uri
Link Mauvelovetox, note that the JSON method is optional, and the RDF one is mandatory.
moparisthebestmy rust websocket lib lets me pass in an already open+validated TLS connection, so I *can* validate against the proper domain
Link MauveSo some servers (such as JabberFR’s) only provide a RDF file.
lovetoxhm i abstracted that pretty good away, i can easily exchange the dns discovery for a https disovery
lovetoxand push this as a security update
moparisthebestnice!
Millesimushas left
nephelehas joined
moparisthebestoh no, tigase probably supports it, any tigase devs about?
https://github.com/tigase/tigase-http-api/blob/2346fb8d4f7adf09707554dc16976f8e87f77548/src/main/groovy/tigase/http/modules/dnswebservice/DnsResolver.java#L168
nephelehas left
moparisthebestadium...
moparisthebesthttps://github.com/search?p=3&q=_xmppconnect&type=Code if anyone wants to help :)
ZashWojtek, or try xmpp:tigase@muc.tigase.org?join maybe
moparisthebestoh no https://github.com/xmppjs/xmpp.js/blob/63aecc49157980f6d68cc58605cf8a3fef664a2a/packages/resolve/lib/dns.js
ZashDoH?
moparisthebest14 years ago, maybe it's not being used? :crosses-fingers: https://github.com/HSSANN/jabber-net/blob/1b4e73417523426e854dd97b1b73ebc7e2876f0f/jabber/connection/HttpStanzaStream.cs
xnamedhas left
moparisthebest99% of the github search results are libpurple
Zashpurple clones?
moparisthebestactive on the play store https://github.com/BombusMod/BombusMod/blob/6672861668979fb3612ea5933d437f68c1df4931/src/main/java/io/DnsSrvResolver.java
moparisthebestit's mostly libpurple forks or copy/pasted into various clients and/or adium forks etc
lovetoxcan one have a cert which is valid for 2 domains, as in a.org and b.org?
Zashyes
flowyes
ZashsubjectAlternativeNames can contain any number of identities
lovetoxok, i knew wildcard, and subdomains, but was unsure about completely different ones
lovetox:)
Zashyou can put a video of you playing with your cat in there
moparisthebestwhat in the world https://github.com/poVoq/converse_wp/blob/5df09d931fb5b70a0fd854a006c5623240677aeb/conversejs.php#L140
moparisthebestlovetox, but SNI only lets you request a cert valid for 1 domain, which is fun
moparisthebestno one has confirmed in pidgin muc yet, but looks to me like it supports BOSH only and is indeed vulnerable to mitm https://keep.imfreedom.org/pidgin/pidgin/file/tip/libpurple/protocols/jabber/bosh.c#l97
moparisthebestunfortunately that looks like the biggest attack surface :'(
moparisthebest(making at least pidgin, adium, chatty, thunderbird, and what else vulnerable ?)