XMPP Service Operators - 2019-10-25

@version chat.seantodd.co.uk

seantodd: chat.seantodd.co.uk is running Prosody version trunk nightly build 1158 (2019-10-20, cb9755d7a36e) on Linux

@contact chat.seantodd.co.uk

Hmm, does the bot have a command for pulling contact details? I'm just trying to make sure my server is user-friendly before pushing it to wider people.

07:42:52 jonas’> !contact chat.seantodd.co.uk 07:42:55 foorl> jonas’: contact for chat.seantodd.co.uk: abuse: <mailto:abuse@seantodd.co.uk>, <xmpp:seantodd@chat.seantodd.co.uk> admin: <mailto:admin@seantodd.co.uk>, <xmpp:seantodd@chat.seantodd.co.uk> support: <mailto:support@seantodd.co.uk>, <xmpp:seantodd@chat.seantodd.co.uk>

sgtm

make sure you can receive messages from strangers on seantodd@chat.seantodd.co.uk

seantodd, also, any reason you use this chat. subdomain? It might be nicer to have both your email and your XMPP addresses match.

I believe I can! Its set in my client.

And Link, it's a legacy domain. I'm looking to migrate soon-ish.

Ok.

Thanks for the assistance though peeps!

seantodd, migrating is a pain in the a**

you want to do this as early as possible

jonas’: agreed. I'm considering just burning and reinitialising my entire chat stack. It'll give me chance to re-do my DNS entries too.

jonas’: there aren't enough users to require a migration right now.

Is there any info on which XMPP clients do/don't support ECDSA server certs?

Ge0rG, yaxIM don't support. All other support ✏

Ge0rG: when dane in yaxim? :) i saw recently that aTalk supports it

perflyst: if we go by what atalk supports yaxim/conversations/xabber should just close and go home Yet...

nah, aTalk has 99% features but bad UI

_I've got 99 features but a user ain't one_

404.city: you mean yax.im the server, not yaxim the client, right?

perflyst: DANE? Needs to come from Smack.

Ge0rG, I mean the client YaxIM, not the server yax.im

404.city: the client is yaxim, all lowercase ;)

404.city: so you tell me yaxim won't connect to a server with an ECDSA cert? Do you have an error message?

Ge0rG, I have no other information, except that the yaxim client does not connect to 404.city. The most likely reason is an ECC certificate

404.city: thanks for reporting it. I'll investigate.

However, yaxim is not doing anything special, so it is probably heavily dependent on the Android version.

Ge0rG, Is Google's quantum computer hacking RSA?

404.city: NSA has hacked DSA

404.city: I've just logged in from yaxim to 404.city

the only thing that doesn't work is MUC search, because it needs s2s to yax.im

Ge0rG, I love when mistakes disappear, without any action

404.city: I hate it. Because they don't really disappear, they will come back later and bite you

404.city: I'll probably reconsider the deactivation of ECDSA handshakes on yax.im, which will then restore direct connectivity to 404.city

Wasn't ECDSA using some messed up primes or smth?

Licaon_Kter, Yes, they used to. RSA also uses. Lets Encrypt also followed NSA orders.

U trolling now or just fud as usual?

If we talk about protecting the CA from the NSA, then it is complete crap, but this complete crap works well against third countries.

Licaon_Kter, No, this is not trolling. There are facts exist.

Example: https://xmpp.net/result.php?domain=yax.im&type=server ECDHE-RSA . What a mess, this is an ECC certificate))

I did not find evidence with Lets Encrypt, but very often there are rumors that Lets issued fake certificates for hacking Arabs.

Licaon_Kter: ECDSA is technically flawed, because it's neigh impossible to implement correctly

https://minerva.crocs.fi.muni.cz/ is the last one in a series of practical attacks against ECDSA

the most embarassing one, however, is this: https://medium.com/asecuritysite-when-bob-met-alice/not-playing-randomly-the-sony-ps3-and-bitcoin-crypto-hacks-c1fe92bea9bc

Ge0rG, In practice, you can implement an attack on any certificate if you are CA

404.city: that's wrong. You can implement an attack on any *domain* if you are a CA

404.city: however, with Certificate Transparency and HSTS it's getting increasingly harder.

CA centers are completely subordinate to the governments of the countries where their location. RSA and ECC certificates are equally unreliable against CA attacks. Recently, there has been a massive transition to ECC certificates, because they are more resistant to cracking by quantum computers. RSA has a maximum bit rate of 4096 bit. 512 bit ECC equivalent to 16,000 bit RSA

404.city: so everyone should self sign again?

if you dont like CAs as you think they are gov spy companies, what about your manifesto to distrust everyone else https://github.com/E-404/Manifestos/blob/master/1.md ?

404.city: what you have said has nothing to do what I asked about.

>perflyst‎: 404.city: so everyone should self sign again? To solve these problems, there is e2e encryption

I'm still interested in knowing which clients I'll cut off by switching from an RSA cert to ECDSA

apparently, Android 4.1 is required for ECDSA support

But I'm sure there are others that will get cut off

>perflyst‎: if you dont like CAs as you think they are gov spy companies, what about your manifesto to distrust everyone else Self-signed certificates are the worst option. Self-signed certificates, this is a complete lack of encryption. There is not always a choice between the best and the worst. Sometimes there is a choice between bad and very bad. CAs protect against hacking from third countries where CA is not located. Self-Signing Won't Protect From Public Wi-Fi

Sigh.

Ge0rG‎: Most client and servers support ECC. The transition is invisible to most users

Ge0rG, Your server has many users with a yaxim client, so you should pay attention only to this client

404.city, I remember when some Ejabberd admins switched to ECC certificates, it broke s2s with my servers.

This has probably been fixed since then, but not everyone updates as quickly.

Link Mauve: do you have s2s to 404.city?

Yes.

I’m talking about multiple years ago.

404.city [19:08]: > Ge0rG, Your server has many users with a yaxim client, so you should pay attention only to this client Yes, it's a great idea to ignore all users not running a certain unpopular implementation.

Link Mauve, Some administrators manually list ciphers and forget to mention RSA when using ECC and vice versa. I encountered the same problem when using RSA. However, I was persuaded to switch to ECC. The reason is that supposedly CA will soon switch to ECC, which makes the long-term use of RSA meaningless.

Ge0rG, but there are still people starting to run Prosody 0.9.7 today, with an equally outdated software stack.

Link Mauve: ITYM Debian

You read my mind!

Ge0rG, Possible problems may occur with users with Windows XP

404.city: do you have a list of clients that do / don't support ECDSA? Did you see a change in numbers when you switched?

Ge0rG, I did not notice any changes in the number of connections, but it is worth noting that 404.city b did not allow users with Windows XP to connect before.

Does XP support TLS 1+?

Ge0rG, Only user with yaxim and UWPX reported connection problems. Currently there are user connections with new version UXPX.

404.city: do you still have contact to the yaxim user? I'd appreciate a bug report.

Ge0rG, I don’t know, but a lot of people (10%) fell off after receiving a 100% RSA certificate at xmpp.net They all reported that they have Windows XP

Ge0rG, I don’t remember who this man was. It was a long time ago.I will forward the yaxim errors to you.

https://blog.intothesymmetry.com/2019/08/side-channel-timing-attacks-against.html it'll never stop

404.city: thanks!