does anyone know of a live server I can find a /.well-known/posh/xmpp-client.json or /.well-known/posh/xmpp-server.json on ?
9lakeshas left
nephelehas left
nephelehas joined
nephelehas left
jubalhhas left
antranigvhas left
alhas joined
Yagizаhas joined
thomaslewishas joined
thomaslewishas left
COM8has joined
COM8has left
COM8has joined
COM8has left
atomicwatchhas left
msavoritiashas joined
jalalhas joined
atomicwatchhas joined
Millesimushas left
miruxhas joined
Millesimushas joined
marc0shas left
marc0shas joined
me9has joined
thomaslewishas joined
goffihas joined
9lakeshas joined
xeckshas left
selurveduhas joined
me9has left
selurveduhas left
nephelehas joined
nephelehas left
nephelehas joined
emushas joined
wurstsalathas joined
nephelehas left
goffihas left
emushas left
kikuchiyohas joined
emushas joined
marchas joined
SouLhas left
SouLhas joined
jonas’
moparisthebest, anything hosted by conversations.im, I think
thomaslewishas left
jonas’
though apparently not *anything*
jonas’
but some things
jonas’
the one (private) domain I knew of did not have it
kikuchiyohas left
machas left
MattJ
moparisthebest, https://badxmpp.eu/ to the rescue
MattJ
Specifically posh.badxmpp.eu
kikuchiyohas joined
Laurahas left
alhas left
jalalhas left
jalalhas joined
nephelehas joined
Laurahas joined
xnamedhas left
kfvhas left
kfvhas joined
alhas joined
sonnyhas joined
rafasaurushas left
rafasaurushas joined
nephelehas left
xeckshas joined
pulkomandyhas left
Kevhas joined
emushas left
xeckshas left
Kevhas left
Kevhas joined
nephelehas joined
Kevhas left
Kevhas joined
nephelehas left
xeckshas joined
emushas joined
xnamedhas joined
abdullahhas left
abdullahhas joined
alhas left
larmahas joined
goffihas joined
Millesimushas left
xeckshas left
antranigvhas joined
machas joined
spectrumhas left
rafasaurushas left
antranigvhas left
pasdesushihas joined
jalalhas left
debaclehas joined
kfvhas left
kfvhas joined
jubalhhas joined
lovetoxhas left
Laurahas left
Wojtekhas joined
jalalhas joined
Dele Olajidehas joined
Laurahas joined
Dele Olajidehas left
Dele Olajidehas joined
machas left
Wojtekhas left
Wojtekhas joined
Dele Olajidehas left
Dele Olajidehas joined
Dele Olajidehas left
Kevhas left
Kevhas joined
Millesimushas joined
jubalhhas left
Millesimushas left
inkyhas left
PapaTutuWawahas joined
lovetoxhas joined
xeckshas joined
Matrix Traveler (bot)has left
homebeachhas left
Matrix Traveler (bot)has joined
homebeachhas joined
selurveduhas joined
machas joined
Laurahas left
Wojtekhas left
Wojtekhas joined
Millesimushas joined
Laurahas joined
Ingolfhas left
Ingolfhas joined
jubalhhas joined
xeckshas left
kikuchiyohas left
jubalhhas left
jubalhhas joined
kikuchiyohas joined
alhas joined
abdullahhas left
machas left
machas joined
Samhas left
Samhas joined
moparisthebest
MattJ: thanks! Praise zash as usual :)
Zash
🙂
moparisthebest
jonas’: that was my first stop, but none on conversations.im itself and I don't know anything hosted by it offhand
Wojtekhas left
MattJ
Also note that you probably won't find xmpp-server.json anywhere in the wild
MattJ
We've discussed just using xmpp-client for s2s :)
Wojtekhas joined
moparisthebest
MattJ: like just combining them both and allowing any match?
MattJ
Probably
moparisthebest
I honestly can't think of a problem with that
spectrumhas joined
antranigvhas joined
jgarthas left
MattJ
I think we should ensure implementations never let POSH override DANE or better mechanisms. In particular, there really ought to be a secure way to opt out of POSH, but I can't think of anything except that
rafasaurushas joined
MattJ
e.g. I would rather if my web hosting provider didn't have the ability to compromise my XMPP service with the presence of a file or two
machas left
alhas left
machas joined
moparisthebesthas left
oxtypedhas joined
oxtypedhas left
oxtypedhas joined
PapaTutuWawahas left
PapaTutuWawahas joined
oxtypedhas left
moparisthebesthas joined
goffihas left
moparisthebest
That makes sense, the downside of course is that hardly anyone does DNSSEC
Wojtekhas left
moparisthebest
MattJ: DANE obviously ranks above all, where does POSH rank against CAs though?
moparisthebest
Though... Now that I'm thinking about it, I'm not positive it's more common for people to host their own DNSSEC than HTTPS ?
moparisthebest
As in it'd be more likely for your DNS host to compromise your XMPP server than your web hosting provider? Maybe?
Kev
POSH is roughly equivalent to CA (if LE) isn't it?
moparisthebest
Kev: I can't immediately come up with a convincing argument as to how they are different yea
moparisthebest
I guess if your DNS host is compromised it's game over anyway, as they can not only set DANE but also get certificates and host your https and XMPP... So "evil web host" is an additional attack vector on top of that existing one
jalalhas left
Kev
Ah, you're right. CA is better than POSH even when LE.
moparisthebest
Better or the same?
Millesimushas left
moparisthebest
Will if you can get a ca cert there's no need to do posh I guess? So posh is an additional attack vector on top of an existing one? *Unless* your web host that hosts posh is protected with Dane??????
moparisthebest
My head hurts
Kev
If you use POSH there's one extra machine (potentially) that compromising would affect the trust chain.
Kev
(And if it's not an extra machine, you may as well not use POSH)
moparisthebest
Yea, unless DANE
Kev
Even if DANE, no?
moparisthebest
Hmm... Need more coffee
Kev
Assuming you mean DANE of the POSH host (because if you DANE on XMPP you don't need it on the POSH host).
Kev
Because if the POSH host is compromised (host itself, not DNS), it's an extra point that can lie, despite having valid certs.
moparisthebest
Thinking about it, if you can do Dane why have POSH
Kev
If you can DANE on the XMPP host, yes, POSH doesn't seem to do anything (to me).
moparisthebest
A Dane capable client wouldn't check Dane on posh because it would never get there
Wojtekhas joined
moparisthebest
So absent Dane, you basically have to trust CA *or* POSH
moparisthebest
There's no secure way to say "please don't trust POSH" other than DANE
moparisthebest
And POSH isn't the only way your https host can compromise your XMPP server, websockets/Bosh can do it too
Kev
If you expose those, yes.
Millesimushas joined
moparisthebest
No, even if you don't expose them right?
MattJ
No, an attacker who has access to your web server can advertise any BOSH/WS URLs and intercept your XMPP traffic using those mechanisms (and that discovery mechanism)
moparisthebest
^
goffihas joined
dormousehas left
jubalhhas left
thomaslewishas joined
nephelehas joined
thomaslewishas left
Zash
DANE > (POSH if some conditions else PKIX)
or somesuch
nephelehas left
nephelehas joined
jubalhhas joined
xnamedhas left
moparisthebest
would any of you care to provide feedback on my very related adding things to xep-156 host-meta proposal in council@ ? :)
Wojtekhas left
jubalhhas left
syrupthinkerhas joined
xnamedhas joined
xeckshas joined
nephelehas left
selurveduhas left
selurveduhas joined
jubalhhas joined
jubalhhas left
dormousehas joined
abdullahhas joined
jalalhas joined
thomaslewishas joined
thomaslewishas left
jubalhhas joined
xnamedhas left
syrupthinkerhas left
goffihas left
larmahas left
syrupthinkerhas joined
larmahas joined
larmahas left
pulkomandyhas joined
nephelehas joined
nephelehas left
nephelehas joined
9lakeshas left
pulkomandyhas left
nephelehas left
nephelehas joined
thomaslewishas joined
thomaslewishas left
PapaTutuWawahas left
nephelehas left
TheCoffeMakerhas left
TheCoffeMakerhas joined
thomaslewishas joined
thomaslewishas left
thomaslewishas joined
thomaslewishas left
nephelehas joined
nephelehas left
nephelehas joined
9lakeshas joined
selurveduhas left
rafasaurushas left
spectrumhas left
antranigvhas left
nephelehas left
pulkomandyhas joined
marchas left
PapaTutuWawahas joined
marchas joined
marchas left
marchas joined
moparisthebest
actually I'm not sure order really matters, I mean, you can apply the order for outbound connections, but for incoming s2s you basically just have to apply "any of DANE or CA or POSH goes" right ?
9lakeshas left
moparisthebest
the end result being your webhost can make outgoing S2S connections on your behalf 100% of the time ?