jdev - 2024-12-25


  1. edhelas

    I just saw that if you send the same media twice on Telegram, it basically doesn't reupload but reuse the same media, it seems that there's a simple hash done client side that allow reusing the previous one. Is there already XMPP clients that does that ? Basically it means that you can reuse the HTTP Upload GET URL several times during the upload, pretty simple but I was wondering about hypothetical negative impacts (security ?).

  2. jjj333_p (any pronouns)

    generally the way its done more privacy respecting is youll upload it again and the server deduplicates it on the backend and multiple urls point at the same file

  3. jjj333_p (any pronouns)

    idk if thats how xmpp servers do it per se but thats the general approach

  4. jjj333_p (any pronouns)

    it would be nice to have an xmpp client with msg fowarding though so you didnt have to reupload

  5. jjj333_p (any pronouns)

    this also doesnt work well in e2ee chats

  6. Trung

    Yeah public group would be nice but might break e2e

  7. Guus

    If it is the same user doing the upload, would the GET url not be that hash?

  8. Guus

    If its not the same server, then not needing to upload tells you something about others having already uploaded that bit of data. Could be a security/privacy issue.

  9. Guus

    > If it is the same user doing the upload, would the GET url not be that hash? As in: you can distribute the GET URL more than once, without needing to upload the data again anyways

  10. edhelas

    > > If it is the same user doing the upload, would the GET url not be that hash? > As in: you can distribute the GET URL more than once, without needing to upload the data again anyways I don't really see a real privacy issue regarding that

  11. edhelas

    Basically my use case if if you would like to share the same picture to a few of your contacts at the same time, upload once and reuse the URL if you want to "reupload"

  12. jjj333_p (any pronouns)

    > Basically my use case if if you would like to share the same picture to a few of your contacts at the same time, upload once and reuse the URL if you want to "reupload" what the client could do to save this would to be locally save a map of file hash to file url and just reuse that

  13. jjj333_p (any pronouns)

    no fetching from the server needed then

  14. Trung

    Omemo yes. Pgp may be not.

  15. Guus

    I was only wondering about a security issue when multiple difficulty people intending to send the same file would share the same URL / hash. I don't immediately see an issue with the same user reusing the same GET URL.

  16. Trung

    Alice encrypt a file to Bob and use the same url to send to Charlie. Poor Chalie can't decrypt and read the file i think

  17. Trung

    Im not sure how omemo work tho but i think pgp need to encrypt again ?

  18. Link Mauve

    Trung, OMEMO isn’t used for XEP-0454, which is what you’re referring to.

  19. wgreenhouse

    edhelas: poezio has /embed for this

  20. wgreenhouse

    in principle any client could let you re-enter the oob url

  21. singpolyma

    > I just saw that if you send the same media twice on Telegram, it basically doesn't reupload but reuse the same media, it seems that there's a simple hash done client side that allow reusing the previous one. > Is there already XMPP clients that does that ? Basically it means that you can reuse the HTTP Upload GET URL several times during the upload, pretty simple but I was wondering about hypothetical negative impacts (security ?). I have all the client mechanics for this but to really work we need an extension to the http upload xep to send a hash along with the slot request so the server can send back only GET and no PUT to indicate you already uploaded this file before. If you don't just remember the GET client side then you won't know if it has already expired or similar and the URL might be dead. Sending hash in slot request the server can extend expiry as if uploading etc

  22. edhelas

    Yup

  23. singpolyma

    > Alice encrypt a file to Bob and use the same url to send to Charlie. Poor Chalie can't decrypt and read the file i think The hash would not match between encryption to different targets so that's no issue

  24. edhelas

    I think you can do everything fully retrocompatible and add the hash mechanism on top

  25. singpolyma

    Yes for sure you can

  26. singpolyma

    Add it as a child to the slot request. I almost just started adding it even though no server looks for it yet

  27. wgreenhouse

    is a content hash part of oob or sims? or is this an implementation-first xep-next scenario

  28. singpolyma

    sims yes

  29. singpolyma

    And content has has its own special xep seperate from anything else that all other xeps reuse

  30. singpolyma

    And content hash has its own special xep seperate from anything else that all other xeps reuse

  31. wgreenhouse

    aha

  32. Trung

    but we all know the real question for today is how much beer can Santa encrypt down his tummy

  33. edhelas

    We all should be notified if he resolves his own promise.

  34. moparisthebest

    >> I just saw that if you send the same media twice on Telegram, it basically doesn't reupload but reuse the same media, it seems that there's a simple hash done client side that allow reusing the previous one. >> Is there already XMPP clients that does that ? Basically it means that you can reuse the HTTP Upload GET URL several times during the upload, pretty simple but I was wondering about hypothetical negative impacts (security ?). > I have all the client mechanics for this but to really work we need an extension to the http upload xep to send a hash along with the slot request so the server can send back only GET and no PUT to indicate you already uploaded this file before. If you don't just remember the GET client side then you won't know if it has already expired or similar and the URL might be dead. Sending hash in slot request the server can extend expiry as if uploading etc Why bother with all this, teaching the server hash mechanisms and all that jazz, instead of just "hey I uploaded this file before and would like the expiration time extended" ?

  35. moparisthebest

    You can send the same aesgcm:// encrypted link to unlimited contacts too

  36. singpolyma

    That's what sending the hash is for, to indicate what file this is

  37. doge

    Why not make the hash the filename on server

  38. singpolyma

    That's an internal choice by the server sure

  39. singpolyma

    Server can use any filename it wants. Nothing even says the server needs to store the data as files per se

  40. doge

    I mean on the url

  41. doge

    just update the current spec for it to be http://.../$md5.mp4

  42. singpolyma

    URL can be anything the server wants. Fixing it to a specific format wouldn't help anyone

  43. larma

    > That's what sending the hash is for, to indicate what file this is Why can't you just use the URL as an identifier? You could just tell the server "Make this URL available for longer". We are lacking the "Manage uploaded files" XEP anyway, that could specify: listing uploaded files including expiry information for then, deleting them and extending them.

  44. larma

    > That's what sending the hash is for, to indicate what file this is Why can't you just use the uploaded file's URL as an identifier? You could just tell the server "Make this URL available for longer". We are lacking the "Manage uploaded files" XEP anyway, that could specify: listing uploaded files including expiry information for then, deleting them and extending them.

  45. larma

    Clients might want to intentionally upload two files with the same hash, your concept would block that.

  46. moparisthebest

    singpolyma, why teach the server about hashes when you can just send it the URL

  47. moparisthebest

    yes, what larma said ^^^

  48. singpolyma

    I mean I guess you could. Then you have to teach the server about the URI which seems more complex for no gain to me, but I guess it would work out the same in the end

  49. leke

    Yes, we need an XEP for managing uploaded files. I really want to permanently store some files, such as those used for avatars.

  50. singpolyma

    > Clients might want to intentionally upload two files with the same hash, your concept would block that. If you have two files with the same hash you need to use a different hash, heh

  51. jonas’

    singpolyma, unless your entire point is to demonstrate a hash collision

  52. jonas’

    like, to your hacker friends

  53. jonas’

    send them samples

  54. singpolyma

    Right but if you've found an example of that Very Bad Things are happening and we would be urgently upgrading everything

  55. moparisthebest

    the server always has to know about the URI, because it has to serve the file there

  56. singpolyma

    Some server needs to be able to decode it at request time, sure

  57. singpolyma

    Some web server needs to be able to decode it at request time, sure

  58. moparisthebest

    Yea, and that's what you need to talk to