tomIs there any reason not to allow http plaintext connections to your http_upload server?
Jonnyhas joined
Jonnyhas left
Jonnyhas joined
Jonnyhas left
ThibGhas joined
Jonnyhas joined
Jonnyhas left
Jonnyhas joined
Jonnyhas left
Jonnyhas joined
Jonnyhas left
Pingu from Woodquarterhas joined
Licaon_Kterhas joined
rom1dephas left
podhas joined
dropshas left
dropshas joined
volkerhas joined
xsteadfastxhas joined
Jonnyhas joined
Jonnyhas left
Holgertom: I'd ask about the Gajim stuff in the Gajim room.
Jonnyhas joined
Holgertom:
> Is there any reason not to allow http plaintext connections to your http_upload server?
Sure, you might not want to allow the man in the middle to intercept your users' uploads.
tombut is there any reason to make https mandatory instead of optional?
tomhaving https as an option metigates that, but as a cdn, Is it not good to allow plaintext access as well?
HolgerThe upload extension doesn't support offering more than a single URL.
HolgerSo you can't offer the client to choose between HTTP and HTTPS.
dropshas left
dropshas joined
tomtrue, but clients (not uploaders) downloading static content can overide the https to do http
ThibGhas left
volkerhas left
holgerhas joined
volkerhas joined
volkerhas left
volkerhas joined
dropshas left
dropshas joined
volkerhas left
volkerhas joined
Jonnyhas left
volkerhas left
volkerhas joined
Jonnyhas joined
dropshas left
dropshas joined
ElDuderinohas joined
HolgerJust blindly try HTTP and retry via TLS if that fails?
HolgerIf people wanted this behavior it would make more sense to extend the spec accordingly. But I doubt you'll convince people in these HTTPS-everywhere times.
Licaon_Ktertom: what's the usecase for non-httpS ?
tomwell, for static content that's not confidential
tomfor private conversations OMEMO would encrypt anyways
tomhttp is less overhead and can be easily cached my client-side proxies like squid or polipo
tom*by
tomalso, when I do TLS I set it up right. so that means blacklisting all insecure cihpersuites
tomwhich realisticly only allows chacha20 and AESG
tomthe worst thing I want to do is provide a false sense of security. where if you turn on https and I want to be secure, but if you use http on purpose you don't have the illusion of security
tom*AESGCM
ThibGhas joined
tomolder clients may not be able to speak TLSv1.2: ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384
HolgerAll other ciphersuites are "insecure", sure.
dropshas left
dropshas joined
Jonnyhas left
dropshas left
dropshas joined
Jonnyhas joined
Jonnyhas left
bowlofeggshas left
WebPigeonhas left
Jonnyhas joined
WebPigeonhas joined
perflysthas joined
perflysthas left
perflysthas joined
kmqhas joined
UsLhas left
ThibGhas left
ThibGhas joined
Marandahas left
Marandahas joined
volkerhas left
volkerhas joined
madmalkavhas joined
UsLhas joined
dropshas left
volkerhas left
volkerhas joined
perflysthas left
perflysthas joined
marc0shas joined
perflysthas left
Jonnyhas left
Jonnyhas joined
Jonnyhas left
Jonnyhas joined
morganhas joined
sezuanhas joined
tomgive or take a few cipher modulo and hash length 128/256/384
WebPigeonhas left
morganhas left
morganhas joined
marc0shas left
jonas’that’s not even TLSv1.3
ThibGhas left
ThibGhas joined
marc0shas joined
HolgerI'm convinced it makes sense to break interop (i.e. better don't get the cat pic at all than to take the risk) by not offering ciphers such as, say, AES-128-CBC-SHA one someone shows how exactly to break it.✎
tomwhat about tls 1.3?
HolgerI'm convinced it makes sense to break interop (i.e. better don't get the cat pic at all than to take the risk) by not offering ciphers such as, say, AES-128-CBC-SHA once someone shows how exactly to break it. ✏
tomnevermind
tomI'm not asking about my cipherlist
morganhas left
Holgertom: Sure, you're just making the point that you need HTTP for interop because you can't offer HTTPS except with a super-restrictive cipherlist because anything else would impose a false sense of security 🙂
tomwell not exactly. I don't /need/ plaintext access I'm just wondering if there should be any plaintext access
tomno clients have problems with my restrictive cipherlist that I know of
pep.Let's just use http everywhere because TLS is not perfect anyway and it provides a false sense of security :)
jonas’that’s the usual symptom of restrictive cipher lists
Holgertom: Well many have. But whatever. I do see your points about overhead and proxies. I just doubt you'll convince people.
jonas’I didn’t notice that I lost connectivity to jabber.ru until someone pointed it out out-of-band *shrug*✎
jonas’I didn’t notice that I lost connectivity to jabber.ru until someone pointed it out out-of-band✎✏
jonas’I didn’t notice that I lost connectivity to jabber.ru due to TLS foo until someone pointed it out out-of-band ✏
pep.Also tom it'd be great if you stopped taking over this channel for every single topic you want to talk about. Please
tom> I do see your points about overhead and proxies. I just doubt you'll convince people.
I'm not worried about convincing people, I'm just wondering if there is any other scenario besides the proxy example
pep.jonas’: it started with gajim and jingle
jonas’I didn’t scroll up that far
tom>pep.: Also tom it'd be great if you stopped taking over this channel for every single topic you want to talk about. Please
this channel is idle 90% of the time. If anybody else has a topic they'd like to talk about nothing's stopping them from bringing it up
pep.It's idle 90% of the time so what. Let's all have a single channel with every xmpp users so that it's not idle at all?
Holgertom: That's the usual response of people being asked to stay on topic. The problem is not everybody joined here is interested in having his phone beeping when it's about Jingle for Gajim. I'm not, for one.
tommaybe the gajim conversation was a bit offtopic
Holger(Personally I *am* somewhat interested in Gajim and Jingle, but I joined this room with the phone to be notified of actual operators stuff quickly; while I'm joined to the Gajim room only on my desktop. Just to give an example.)
holgerhas left
holgerhas joined
tomsure
holgerhas left
holgerhas joined
pep.tom: fwiw, join the gajim room and talk about what you want to do re UI, and the codebase in there. The current maintainer has done a huge amount of work cleaning it up, there are probably parts you can merge in your potential 0.16 fork if it happens