Echo1seantodd: chat.seantodd.co.uk is running Prosody version trunk nightly build 1158 (2019-10-20, cb9755d7a36e) on Linux
seantodd@contact chat.seantodd.co.uk
WebPigeonhas joined
seantoddHmm, does the bot have a command for pulling contact details? I'm just trying to make sure my server is user-friendly before pushing it to wider people.
404.city Ge0rG, yaxIM don't support. All other support ✏
404.cityhas left
perflystGe0rG: when dane in yaxim? :)
i saw recently that aTalk supports it
WebPigeonhas joined
perflysthas left
perflysthas joined
Licaon_Kterperflyst: if we go by what atalk supports yaxim/conversations/xabber should just close and go home
Yet...
krishas left
krishas joined
perflystnah, aTalk has 99% features but bad UI
WebPigeonhas left
404.cityhas joined
stpeterhas left
kmqhas joined
Licaon_Kter_I've got 99 features but a user ain't one_
krishas left
krishas joined
WebPigeonhas joined
madmalkavhas joined
dropshas left
krishas left
krishas joined
Ge0rG404.city: you mean yax.im the server, not yaxim the client, right?
Ge0rGperflyst: DANE? Needs to come from Smack.
krishas left
krishas joined
dropshas joined
404.cityGe0rG, I mean the client YaxIM, not the server yax.im
Ge0rG404.city: the client is yaxim, all lowercase ;)
Ge0rG404.city: so you tell me yaxim won't connect to a server with an ECDSA cert? Do you have an error message?
jayteeukhas left
jayteeukhas joined
jayteeukhas left
jayteeukhas joined
404.cityGe0rG, I have no other information, except that the yaxim client does not connect to 404.city. The most likely reason is an ECC certificate
Ge0rG404.city: thanks for reporting it. I'll investigate.
Ge0rGHowever, yaxim is not doing anything special, so it is probably heavily dependent on the Android version.
404.cityGe0rG, Is Google's quantum computer hacking RSA?
Ge0rG404.city: NSA has hacked DSA
sezuanhas joined
404.cityhas left
Ge0rG404.city: I've just logged in from yaxim to 404.city
Ge0rGthe only thing that doesn't work is MUC search, because it needs s2s to yax.im
404.cityhas joined
WebPigeonhas left
madmalkavhas left
madmalkavhas joined
chronosx88has joined
404.cityGe0rG, I love when mistakes disappear, without any action
Ge0rG404.city: I hate it. Because they don't really disappear, they will come back later and bite you
Ge0rG404.city: I'll probably reconsider the deactivation of ECDSA handshakes on yax.im, which will then restore direct connectivity to 404.city
sonnyhas left
Licaon_KterWasn't ECDSA using some messed up primes or smth?
kmqhas left
404.cityLicaon_Kter, Yes, they used to. RSA also uses. Lets Encrypt also followed NSA orders.
Licaon_KterU trolling now or just fud as usual?
404.cityIf we talk about protecting the CA from the NSA, then it is complete crap, but this complete crap works well against third countries.
WebPigeonhas joined
404.cityLicaon_Kter, No, this is not trolling. There are facts exist.
404.cityExample: https://xmpp.net/result.php?domain=yax.im&type=server ECDHE-RSA . What a mess, this is an ECC certificate))
Chobbeshas left
404.cityI did not find evidence with Lets Encrypt, but very often there are rumors that Lets issued fake certificates for hacking Arabs.
Ge0rGLicaon_Kter: ECDSA is technically flawed, because it's neigh impossible to implement correctly
Ge0rGhttps://minerva.crocs.fi.muni.cz/ is the last one in a series of practical attacks against ECDSA
Ge0rGthe most embarassing one, however, is this: https://medium.com/asecuritysite-when-bob-met-alice/not-playing-randomly-the-sony-ps3-and-bitcoin-crypto-hacks-c1fe92bea9bc
404.cityGe0rG, In practice, you can implement an attack on any certificate if you are CA
Ge0rG404.city: that's wrong. You can implement an attack on any *domain* if you are a CA
Ge0rG404.city: however, with Certificate Transparency and HSTS it's getting increasingly harder.
andrey.utkinhas left
andrey.utkinhas joined
WebPigeonhas left
WebPigeonhas joined
rom1dephas left
404.cityCA centers are completely subordinate to the governments of the countries where their location. RSA and ECC certificates are equally unreliable against CA attacks. Recently, there has been a massive transition to ECC certificates, because they are more resistant to cracking by quantum computers. RSA has a maximum bit rate of 4096 bit. 512 bit ECC equivalent to 16,000 bit RSA
WebPigeonhas left
perflyst404.city: so everyone should self sign again?
perflystif you dont like CAs as you think they are gov spy companies, what about your manifesto to distrust everyone else https://github.com/E-404/Manifestos/blob/master/1.md ?
ackerman1scotthas joined
Ge0rG404.city: what you have said has nothing to do what I asked about.
404.city>perflyst: 404.city: so everyone should self sign again?
To solve these problems, there is e2e encryption
Ge0rGI'm still interested in knowing which clients I'll cut off by switching from an RSA cert to ECDSA
Ge0rGapparently, Android 4.1 is required for ECDSA support
Ge0rGBut I'm sure there are others that will get cut off
WebPigeonhas joined
404.city>perflyst: if you dont like CAs as you think they are gov spy companies, what about your manifesto to distrust everyone else
Self-signed certificates are the worst option. Self-signed certificates, this is a complete lack of encryption. There is not always a choice between the best and the worst. Sometimes there is a choice between bad and very bad.
CAs protect against hacking from third countries where CA is not located. Self-Signing Won't Protect From Public Wi-Fi
Ge0rGSigh.
perflysthas left
perflysthas joined
404.cityGe0rG: Most client and servers support ECC. The transition is invisible to most users
Martinhas left
404.cityGe0rG, Your server has many users with a yaxim client, so you should pay attention only to this client
Link Mauve404.city, I remember when some Ejabberd admins switched to ECC certificates, it broke s2s with my servers.
Link MauveThis has probably been fixed since then, but not everyone updates as quickly.
WebPigeonhas left
WebPigeonhas joined
Ge0rGLink Mauve: do you have s2s to 404.city?
Link MauveYes.
Link MauveI’m talking about multiple years ago.
Ge0rG404.city [19:08]:
> Ge0rG, Your server has many users with a yaxim client, so you should pay attention only to this client
Yes, it's a great idea to ignore all users not running a certain unpopular implementation.
404.cityLink Mauve, Some administrators manually list ciphers and forget to mention RSA when using ECC and vice versa.
I encountered the same problem when using RSA. However, I was persuaded to switch to ECC. The reason is that supposedly CA will soon switch to ECC, which makes the long-term use of RSA meaningless.
Link MauveGe0rG, but there are still people starting to run Prosody 0.9.7 today, with an equally outdated software stack.
Ge0rGLink Mauve: ITYM Debian
Link MauveYou read my mind!
muppethhas left
gavhas left
ackerman1scotthas left
404.cityGe0rG, Possible problems may occur with users with Windows XP
Ge0rG404.city: do you have a list of clients that do / don't support ECDSA? Did you see a change in numbers when you switched?
gavhas joined
404.cityGe0rG, I did not notice any changes in the number of connections, but it is worth noting that 404.city b did not allow users with Windows XP to connect before.
muppethhas joined
Ge0rGDoes XP support TLS 1+?
404.cityGe0rG, Only user with yaxim and UWPX reported connection problems. Currently there are user connections with new version UXPX.
Ge0rG404.city: do you still have contact to the yaxim user? I'd appreciate a bug report.
404.cityGe0rG, I don’t know, but a lot of people (10%) fell off after receiving a 100% RSA certificate at xmpp.net They all reported that they have Windows XP
Chobbeshas joined
404.cityGe0rG, I don’t remember who this man was. It was a long time ago.I will forward the yaxim errors to you.
Ge0rGhttps://blog.intothesymmetry.com/2019/08/side-channel-timing-attacks-against.html it'll never stop