jdev - 2022-02-09


  1. pep.

    How do I specify something that's still very much in use, when the document has evolved and this thing I want to specify "doesn't exist anymore" on paper but is still pretty much everywhere in practice

  2. pep.

    (oldmemo)

  3. Zash

    do we do Historical for those?

  4. pep.

    In particular, omemo vs pubsub#type

  5. pep.

    It's not historical

  6. pep.

    Is it

  7. Zash

    Historical might still technically be for things invented prior to the [XJ]SF and [XJ]EP procedure existed, but I'm thinking it could be used for things developed outside of the XSF and that would be good to have a stable reference for

  8. Zash

    to document "this is a thing that some software are doing"

  9. pep.

    I'd say my case also doesn't fit in there, unless you want me to do the thing first, make it a de-facto standard that everybody will rant about, and then come back with it

  10. Zash

    For O(LD)MEMO that was done as a version so that it went into the attic, tho that seems like a weird thing

  11. Zash

    Or did I misunderstand the whole thing?

  12. jonas’

    pep., put it in the omemo xep?

  13. Zash

    "This is your brain on meetings"

  14. pep.

    jonas’, the eu.siacs ns isn't a thing anymore

  15. pep.

    In the spec

  16. jonas’

    welp

  17. Zash

    Link to https://xmpp.org/extensions/attic/xep-0384-0.3.0.html

  18. pep.

    Can I branch 0384-0.3.0? :P

  19. Zash

    See, perhaps it should have been a Historical XEP?

  20. pep.

    Are we allowed to modify histerical xeps?

  21. jonas’

    yes

  22. pep.

    Are we allowed to modify hysterical xeps?

  23. jonas’

    is it worth the hassle to write even down what you intend to write down?

  24. pep.

    I was kinda asked to "because it's not specified" :/

  25. jonas’

    so just don't do pubsub#type for omemo?

  26. jonas’

    then it doesn't have to be specified :)

  27. jonas’

    just migrate to newmemo

  28. pep.

    Yeah in 10 years

  29. jonas’

    *shrug*

  30. pep.

    Anyway, it's interesting to know that there's no answer to this

  31. jonas’

    the OMEMO spec history is really unfortunate

  32. Zash

    understatement?

  33. pep.

    I think it would be the same with any other(?) if you change/update the NS.. I guess there could be a note in the spec like "In an earlier version of this spec blah blah, you can do this and that"

  34. pep.

    ("update" also meaning ":0" -> ":1" to me)

  35. pep.

    (it's not the same ns anymore)

  36. Zash

    implementation note?

  37. pep.

    Yeah

  38. pep.

    I'll fill something for that. Waiting to be shutdown somewhat..

  39. pep.

    Also, I'm wondering if it's written anywhere (or should be written anywhere) to prefer purging nodes instead of deleting them

  40. pep.

    So that doesn't ruin the work/expectations of other clients. Say I start filling pubsub#type on my nodes and somebody comes in, yanks everything and recreates the node without the field. Unless obviously that's on purpose

  41. jonas’

    I'd say other clients need to be able to deal with nodes not containing pubsub#tpye

  42. jonas’

    I'd say other clients need to be able to deal with nodes not containing pubsub#type

  43. pep.

    Sure, that's not my point

  44. jonas’

    it seems a bit futile in putting energy in polishing oldmemo that way then

  45. pep.

    Just that it'd kinda ruin the effort a client puts in

  46. pep.

    This doesn't just apply to OMEMO

  47. pep.

    It applies to everything pubsub

  48. pep.

    Am I the only one seeing this as a generic issue? (purge/delete)

  49. Link Mauve

    I don’t think I’ve ever seen it being an issue.

  50. Link Mauve

    Maybe it is for OMEMO, which I don’t use.

  51. Link Mauve

    But for everything else PubSub, clients do the sensible thing.

  52. pep.

    Let's forget about OMEMO for a sec, that's not the point

  53. pep.

    I should have waited 24h before I started another topic

  54. pep.

    Link Mauve, and hmm, I do remember some devs discovering purge (gajim?) and being happy that it exists and that it can be used instead of delete. Might have been for avatars or the like, I don't remember the details

  55. pep.

    Say for privacy settings and whatnot

  56. pep.

    So if this dev didn't know about this, I don't want to imagine how many people getting into XMPP don't either.

  57. jonas’

    pep., I just refused (deferred) to follow your topic change. You would've gotten the same comment if you hadn't written the other line.

  58. pep.

    That doesn't answer my question really but ok. Link Mauve does, but I'm not sure I agree that clients "just do the sensible thing" (I have an example with gajim -- I can find logs again -- and gajim is not any client)

  59. pep.

    Or when gajim also used to reset max_items to 1, clearing microblog nodes. Or something similar

  60. pep.

    Mistakes happen, surely, but it'd be nice to guard against them somehow

  61. pep.

    Would that fit modernxmpp btw? (or anywhere else?) Or will this just live as tribal knowledge

  62. Stefan

    Yes, more information in the implementation notes + Appendix H: Revision History. Change namespace to urn:xmpp:omemo:1 -> Change namespace from eu..... to urn:xmpp:omemo:1 This would be very helpful.

  63. moparisthebest

    other than gajim and pidgin, is anyone aware of other clients using _xmppconnect ?

  64. flow

    don't you have the same issue with the http lookup method?

  65. Zash

    no because https

  66. flow

    ahh, yes

  67. flow

    luckily, smack appears to only implement the http lookup method, and not (yet) _xmppconnect

  68. moparisthebest

    does it enforce https when doing the lookup ?

  69. Zash

    I suppose there's not much point in adding _xmppconnect checking support to prosodyctl then

  70. moparisthebest

    because indeed you can't trust it with regular http either

  71. Zash

    Isn't that mandated by whatever defined /.well-known/host-meta ?

  72. Zash

    Beware HTTP redirects tho

  73. moparisthebest

    not much is because this was in those young carefree days when non-TLS was ok!

  74. moparisthebest

    the websocket rfc does say: > Thus, the connection endpoint is still authenticated, and the delegation is secure as long as the Web-host Metadata file is retrieved via HTTPS.

  75. lovetox

    sooo, what does this mean, we should not use the dns method?

  76. moparisthebest

    lovetox, well, do you enforce DNSSEC for it now? and how do you validate the certificate ?

  77. moparisthebest

    and which if any domain do you send in SNI

  78. moparisthebest

    I expect the answer to be "the websocket library takes care of this" in which case you are vulnerable to MITM

  79. lovetox

    of course we pass the library just the url

  80. lovetox

    there is nothing more to configure

  81. lovetox

    except the protocoll "xmpp"

  82. lovetox

    i could implement the https method, but makes everything again more complicated

  83. moparisthebest

    lovetox, so right now if _xmppconnect.example.org pointed to wss://evil.com/xmpp and evil.com presented a valid cert for evil.com you'd just trust it and go on ?

  84. moparisthebest

    I mean that's what I expect, but it's vulnerable to MITM :(

  85. lovetox

    yes

  86. moparisthebest

    it's only ok with DNSSEC, so I think I'm going to propose removing the DNS method alltogether from that XEP

  87. lovetox

    yes, i dont see how any websocket library will support this

  88. Zash

    Tho cache poisoning attacks isn't _that_ easy to pull off

  89. moparisthebest

    if you go https, which of the 2 methods would you pick? XML or json ?

  90. moparisthebest

    (or both?)

  91. lovetox

    json

  92. moparisthebest

    I unfortunately also think that's more sensible

  93. lovetox

    because python, and json maps to python dicts

  94. lovetox

    :)

  95. moparisthebest

    well and which do you think 100% of web clients pick? :/

  96. moparisthebest

    I think I'll also propose getting rid of the XML method and see how that goes :P

  97. moparisthebest

    in the short term you might want to disable DNS websocket discovery to avoid mitm :/

  98. moparisthebest

    wonder what pidgin does and how to get ahold of them...

  99. Zash

    xmpp:devel@conference.pidgin.im?join

  100. moparisthebest

    didn't expect that

  101. lovetox

    i also checked another python websocket lib, they also dont support this

  102. lovetox

    tls is always verified against the uri

  103. Link Mauve

    lovetox, note that the JSON method is optional, and the RDF one is mandatory.

  104. moparisthebest

    my rust websocket lib lets me pass in an already open+validated TLS connection, so I *can* validate against the proper domain

  105. Link Mauve

    So some servers (such as JabberFR’s) only provide a RDF file.

  106. moparisthebest

    but no web servers support this

  107. moparisthebest

    which is a bigger problem

  108. moparisthebest

    ugh it's true https://datatracker.ietf.org/doc/html/rfc7395#section-4

  109. lovetox

    yeah then i will use xml

  110. lovetox

    i will not do 2 https requests

  111. Zash

    (pipeline?)

  112. lovetox

    hm i abstracted that pretty good away, i can easily exchange the dns discovery for a https disovery

  113. lovetox

    and push this as a security update

  114. moparisthebest

    nice!

  115. moparisthebest

    oh no, tigase probably supports it, any tigase devs about? https://github.com/tigase/tigase-http-api/blob/2346fb8d4f7adf09707554dc16976f8e87f77548/src/main/groovy/tigase/http/modules/dnswebservice/DnsResolver.java#L168

  116. moparisthebest

    adium...

  117. moparisthebest

    https://github.com/search?p=3&q=_xmppconnect&type=Code if anyone wants to help :)

  118. Zash

    Wojtek, or try xmpp:tigase@muc.tigase.org?join maybe

  119. moparisthebest

    oh no https://github.com/xmppjs/xmpp.js/blob/63aecc49157980f6d68cc58605cf8a3fef664a2a/packages/resolve/lib/dns.js

  120. Zash

    DoH?

  121. moparisthebest

    14 years ago, maybe it's not being used? :crosses-fingers: https://github.com/HSSANN/jabber-net/blob/1b4e73417523426e854dd97b1b73ebc7e2876f0f/jabber/connection/HttpStanzaStream.cs

  122. moparisthebest

    99% of the github search results are libpurple

  123. Zash

    purple clones?

  124. moparisthebest

    active on the play store https://github.com/BombusMod/BombusMod/blob/6672861668979fb3612ea5933d437f68c1df4931/src/main/java/io/DnsSrvResolver.java

  125. moparisthebest

    it's mostly libpurple forks or copy/pasted into various clients and/or adium forks etc

  126. lovetox

    can one have a cert which is valid for 2 domains, as in a.org and b.org?

  127. Zash

    yes

  128. flow

    yes

  129. Zash

    subjectAlternativeNames can contain any number of identities

  130. lovetox

    ok, i knew wildcard, and subdomains, but was unsure about completely different ones

  131. lovetox

    :)

  132. Zash

    you can put a video of you playing with your cat in there

  133. moparisthebest

    what in the world https://github.com/poVoq/converse_wp/blob/5df09d931fb5b70a0fd854a006c5623240677aeb/conversejs.php#L140

  134. moparisthebest

    lovetox, but SNI only lets you request a cert valid for 1 domain, which is fun

  135. moparisthebest

    active project https://github.com/JustOxlamon/TwoRatChat/blob/8f75fa37f84367d7bc0fe9b61e0ff3554eda8c58/JabberNet-2.1.0.710/jabber/connection/HttpStanzaStream.cs#L107

  136. moparisthebest

    no one has confirmed in pidgin muc yet, but looks to me like it supports BOSH only and is indeed vulnerable to mitm https://keep.imfreedom.org/pidgin/pidgin/file/tip/libpurple/protocols/jabber/bosh.c#l97

  137. moparisthebest

    unfortunately that looks like the biggest attack surface :'(

  138. moparisthebest

    (making at least pidgin, adium, chatty, thunderbird, and what else vulnerable ?)