Is there any reason not to allow http plaintext connections to your http_upload server?
Jonnyhas joined
Jonnyhas left
Jonnyhas joined
Jonnyhas left
ThibGhas joined
Jonnyhas joined
Jonnyhas left
Jonnyhas joined
Jonnyhas left
Jonnyhas joined
Jonnyhas left
Pingu from Woodquarterhas joined
Licaon_Kterhas joined
rom1dephas left
podhas joined
dropshas left
dropshas joined
volkerhas joined
xsteadfastxhas joined
Jonnyhas joined
Jonnyhas left
Holger
tom: I'd ask about the Gajim stuff in the Gajim room.
Jonnyhas joined
Holger
tom:
> Is there any reason not to allow http plaintext connections to your http_upload server?
Sure, you might not want to allow the man in the middle to intercept your users' uploads.
tom
but is there any reason to make https mandatory instead of optional?
tom
having https as an option metigates that, but as a cdn, Is it not good to allow plaintext access as well?
Holger
The upload extension doesn't support offering more than a single URL.
Holger
So you can't offer the client to choose between HTTP and HTTPS.
dropshas left
dropshas joined
tom
true, but clients (not uploaders) downloading static content can overide the https to do http
ThibGhas left
volkerhas left
holgerhas joined
volkerhas joined
volkerhas left
volkerhas joined
dropshas left
dropshas joined
volkerhas left
volkerhas joined
Jonnyhas left
volkerhas left
volkerhas joined
Jonnyhas joined
dropshas left
dropshas joined
ElDuderinohas joined
Holger
Just blindly try HTTP and retry via TLS if that fails?
Holger
If people wanted this behavior it would make more sense to extend the spec accordingly. But I doubt you'll convince people in these HTTPS-everywhere times.
Licaon_Kter
tom: what's the usecase for non-httpS ?
tom
well, for static content that's not confidential
tom
for private conversations OMEMO would encrypt anyways
tom
http is less overhead and can be easily cached my client-side proxies like squid or polipo
tom
*by
tom
also, when I do TLS I set it up right. so that means blacklisting all insecure cihpersuites
tom
which realisticly only allows chacha20 and AESG
tom
the worst thing I want to do is provide a false sense of security. where if you turn on https and I want to be secure, but if you use http on purpose you don't have the illusion of security
tom
*AESGCM
ThibGhas joined
tom
older clients may not be able to speak TLSv1.2: ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384
Holger
All other ciphersuites are "insecure", sure.
dropshas left
dropshas joined
Jonnyhas left
dropshas left
dropshas joined
Jonnyhas joined
Jonnyhas left
bowlofeggshas left
WebPigeonhas left
Jonnyhas joined
WebPigeonhas joined
perflysthas joined
perflysthas left
perflysthas joined
kmqhas joined
UsLhas left
ThibGhas left
ThibGhas joined
Marandahas left
Marandahas joined
volkerhas left
volkerhas joined
madmalkavhas joined
UsLhas joined
dropshas left
volkerhas left
volkerhas joined
perflysthas left
perflysthas joined
marc0shas joined
perflysthas left
Jonnyhas left
Jonnyhas joined
Jonnyhas left
Jonnyhas joined
morganhas joined
sezuanhas joined
tom
give or take a few cipher modulo and hash length 128/256/384
WebPigeonhas left
morganhas left
morganhas joined
marc0shas left
jonas’
that’s not even TLSv1.3
ThibGhas left
ThibGhas joined
marc0shas joined
Holger
I'm convinced it makes sense to break interop (i.e. better don't get the cat pic at all than to take the risk) by not offering ciphers such as, say, AES-128-CBC-SHA one someone shows how exactly to break it.✎
tom
what about tls 1.3?
Holger
I'm convinced it makes sense to break interop (i.e. better don't get the cat pic at all than to take the risk) by not offering ciphers such as, say, AES-128-CBC-SHA once someone shows how exactly to break it. ✏
tom
nevermind
tom
I'm not asking about my cipherlist
morganhas left
Holger
tom: Sure, you're just making the point that you need HTTP for interop because you can't offer HTTPS except with a super-restrictive cipherlist because anything else would impose a false sense of security 🙂
tom
well not exactly. I don't /need/ plaintext access I'm just wondering if there should be any plaintext access
tom
no clients have problems with my restrictive cipherlist that I know of
pep.
Let's just use http everywhere because TLS is not perfect anyway and it provides a false sense of security :)
jonas’
that’s the usual symptom of restrictive cipher lists
Holger
tom: Well many have. But whatever. I do see your points about overhead and proxies. I just doubt you'll convince people.
jonas’
I didn’t notice that I lost connectivity to jabber.ru until someone pointed it out out-of-band *shrug*✎
jonas’
I didn’t notice that I lost connectivity to jabber.ru until someone pointed it out out-of-band✎✏
jonas’
I didn’t notice that I lost connectivity to jabber.ru due to TLS foo until someone pointed it out out-of-band ✏
pep.
Also tom it'd be great if you stopped taking over this channel for every single topic you want to talk about. Please
> I do see your points about overhead and proxies. I just doubt you'll convince people.
I'm not worried about convincing people, I'm just wondering if there is any other scenario besides the proxy example
pep.
jonas’: it started with gajim and jingle
jonas’
I didn’t scroll up that far
tom
>pep.: Also tom it'd be great if you stopped taking over this channel for every single topic you want to talk about. Please
this channel is idle 90% of the time. If anybody else has a topic they'd like to talk about nothing's stopping them from bringing it up
pep.
It's idle 90% of the time so what. Let's all have a single channel with every xmpp users so that it's not idle at all?
Holger
tom: That's the usual response of people being asked to stay on topic. The problem is not everybody joined here is interested in having his phone beeping when it's about Jingle for Gajim. I'm not, for one.
tom
maybe the gajim conversation was a bit offtopic
Holger
(Personally I *am* somewhat interested in Gajim and Jingle, but I joined this room with the phone to be notified of actual operators stuff quickly; while I'm joined to the Gajim room only on my desktop. Just to give an example.)
holgerhas left
holgerhas joined
tom
sure
holgerhas left
holgerhas joined
pep.
tom: fwiw, join the gajim room and talk about what you want to do re UI, and the codebase in there. The current maintainer has done a huge amount of work cleaning it up, there are probably parts you can merge in your potential 0.16 fork if it happens