XMPP Service Operators - 2019-08-19

Is there any reason not to allow http plaintext connections to your http_upload server?

tom: I'd ask about the Gajim stuff in the Gajim room.

tom: > Is there any reason not to allow http plaintext connections to your http_upload server? Sure, you might not want to allow the man in the middle to intercept your users' uploads.

but is there any reason to make https mandatory instead of optional?

having https as an option metigates that, but as a cdn, Is it not good to allow plaintext access as well?

The upload extension doesn't support offering more than a single URL.

So you can't offer the client to choose between HTTP and HTTPS.

true, but clients (not uploaders) downloading static content can overide the https to do http

Just blindly try HTTP and retry via TLS if that fails?

If people wanted this behavior it would make more sense to extend the spec accordingly. But I doubt you'll convince people in these HTTPS-everywhere times.

tom: what's the usecase for non-httpS ?

well, for static content that's not confidential

for private conversations OMEMO would encrypt anyways

http is less overhead and can be easily cached my client-side proxies like squid or polipo

*by

also, when I do TLS I set it up right. so that means blacklisting all insecure cihpersuites

which realisticly only allows chacha20 and AESG

the worst thing I want to do is provide a false sense of security. where if you turn on https and I want to be secure, but if you use http on purpose you don't have the illusion of security

*AESGCM

older clients may not be able to speak TLSv1.2: ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384

All other ciphersuites are "insecure", sure.

give or take a few cipher modulo and hash length 128/256/384

that’s not even TLSv1.3

what about tls 1.3?

I'm convinced it makes sense to break interop (i.e. better don't get the cat pic at all than to take the risk) by not offering ciphers such as, say, AES-128-CBC-SHA once someone shows how exactly to break it. ✏

nevermind

I'm not asking about my cipherlist

tom: Sure, you're just making the point that you need HTTP for interop because you can't offer HTTPS except with a super-restrictive cipherlist because anything else would impose a false sense of security 🙂

well not exactly. I don't /need/ plaintext access I'm just wondering if there should be any plaintext access

no clients have problems with my restrictive cipherlist that I know of

Let's just use http everywhere because TLS is not perfect anyway and it provides a false sense of security :)

that’s the usual symptom of restrictive cipher lists

tom: Well many have. But whatever. I do see your points about overhead and proxies. I just doubt you'll convince people.

I didn’t notice that I lost connectivity to jabber.ru due to TLS foo until someone pointed it out out-of-band ✏

Also tom it'd be great if you stopped taking over this channel for every single topic you want to talk about. Please

it *is* related to operations, pep. ✏

> I do see your points about overhead and proxies. I just doubt you'll convince people. I'm not worried about convincing people, I'm just wondering if there is any other scenario besides the proxy example

jonas’: it started with gajim and jingle

I didn’t scroll up that far

>pep.‎: Also tom it'd be great if you stopped taking over this channel for every single topic you want to talk about. Please this channel is idle 90% of the time. If anybody else has a topic they'd like to talk about nothing's stopping them from bringing it up

It's idle 90% of the time so what. Let's all have a single channel with every xmpp users so that it's not idle at all?

tom: That's the usual response of people being asked to stay on topic. The problem is not everybody joined here is interested in having his phone beeping when it's about Jingle for Gajim. I'm not, for one.

maybe the gajim conversation was a bit offtopic

(Personally I *am* somewhat interested in Gajim and Jingle, but I joined this room with the phone to be notified of actual operators stuff quickly; while I'm joined to the Gajim room only on my desktop. Just to give an example.)

sure

tom: fwiw, join the gajim room and talk about what you want to do re UI, and the codebase in there. The current maintainer has done a huge amount of work cleaning it up, there are probably parts you can merge in your potential 0.16 fork if it happens

Ah you have joined, cool :)