XMPP Service Operators - 2021-05-19

  1. rob

    Bosh and websocket now available

  2. rob

    But no authorized domains yet or alt connect info via well known, after dinner 🤓

  3. tom

    That's only really needed for things like conversejs

  4. tom

    Unless, is it possible to specify an i2p or onion address in a alt-connect method?

  5. rob

    Not sure, but I wanted to let people use mov.im or whatever if they want.

  6. rob

    I'll maybe add converse.js on the domain for convenience too

  7. thndrbvr

    There's also https://jsxc.org

  8. rob

    I think Converse was just easier as it has a module, also supports more features I think

  9. rob

    Also mov.im seems to work fine without cors so maybe it doesn't require bosh or websockets

  10. rob


  11. rob

    Nice, works well. Oh I have to allow all cors domains for the C compliance thing to pass

  12. tom

    Don't do that

  13. tom

    Cors is a good security protection

  14. tom

    Just allow the domain exception you need

  15. tom

    Oh, but if you want it completely open, i guess

  16. rob

    I don't really, I was thinking just a few public web clients. I just didn't realize the compliance suite wants it wide open

  17. moparisthebest

    24ish hours until I release the tool that can crash prosody's that haven't mitigated https://prosody.im/security/advisory_20210512/ if you haven't done so, please do it now

  18. tom

    moparisthebest: i don't think much will happen

  19. tom

    The 1 billion laughs attack has been around for quite a while

  20. tom

    As a generic cve

  21. tom

    Not one specificly tied to xmpp, but xml

  22. moparisthebest

    that one doesn't work in XMPP at all, or shouldn't anyway

  23. qrpnxz

    rob, that movim thing is pretty cool! thx for mentioning it

  24. Licaon_Kter

    rob: movim, converse, jsxc....why let your users give to random sites their creds to your host? Host your own...

  25. Licaon_Kter

    MattJ: is docker autoupdating like prosody from distro repos?

  26. arne

    > Licaon_Kter schrieb: > Host your own... Yes, that's really recommended when running an own xmpp server

  27. arne

    > Licaon_Kter schrieb: > Host your own... Yes, that's really recommended, especially when running an own xmpp server

  28. MattJ

    moparisthebest, historically a bunch of servers were susceptible to billion laughs :)

  29. qrpnxz

    should be impossible with the new standard

  30. qrpnxz


  31. MattJ

    Licaon_Kter, no, Snikket doesn't auto-update, but updating is easy and it has update notifications

  32. rob

    > rob: movim, converse, jsxc....why let your users give to random sites their creds to your host? > Host your own... True, so far it's just self hosted Converse

  33. Araucaria

    Was there an office hours talk yesterday?

  34. Sam


  35. rob

    How do you get a perfect cipher score on xmpp.net? And do I need to care?

  36. jonas’

    no idea, no

  37. jonas’

    it’s old

  38. rob


  39. rob


  40. rob

    I just like everything full, all the green checks or dots or bars etc

  41. arne

    though still you should get 100 for all ?

  42. jonas’

    everyone does

  43. rob

    > though still you should get 100 for all ? No I've never had greater than 90 for cipher

  44. rob

    > everyone does It's all just a game

  45. arne

    mh I have 100 since very long actually

  46. rob

    Give me achievements lol

  47. rob

    Which server?

  48. arne

    or always. But I sat up the ciphers, etc. myself

  49. arne


  50. arne

    > rob schrieb: > Give me achievements lol > Which server? you?

  51. Araucaria


  52. arne


  53. jonas’

    rob, you get a 💯 if you don’t blindly follow every check list / achievement score :)

  54. arne

    xmpp is pretty old I think

  55. arne

    xmpp.net is pretty old I think

  56. Licaon_Kter gives rob the "At least they tried" award

  57. Araucaria

    Wasn't xmpp.net hijacked somewhere along the line?

  58. Araucaria

    Or was that another xmpp checker site?

  59. jonas’

    I don’t know of any hijacking

  60. MattJ

    xmpp.net wasn't, though it was down for a while due to a server failure

  61. arne

    are there any new tests?

  62. jonas’

    I have something in the pipeline, but also lots of other stuff :)

  63. arne


  64. rob

    > 🏅 Thank you, thank you. First I want to thank my dog, for always supporting me

  65. Martin

    > are there any new tests? cryptcheck.fr

  66. Araucaria

    That server has its time wrong

  67. Araucaria

    2 years off?

  68. Menel

    You just don't get 100 if you allow less then aes256.. But its just CPU waste and aes128 is totally ok. I don't desire 100%

  69. rob

    > cryptcheck.fr I got an E

  70. Menel

    That one doesn't like DH, even if its a very strong one, I don't know of any security issue with that

  71. rob

    Ah well, my server works so w/e 🤓

  72. thndrbvr

    IRC but seems important. Freenode being taken over, volunteer staff moving & forming Libera.Chat (why it isn't XMPP this time I'm not sure.) https://lwn.net/Articles/856543/

  73. Sam

    It's supposed to be a straight up move. Users should be able to just change a server name in their config and keep using it exactly like they were, it wouldn't make much sense to learn to setup a whole new thing like XMPP.

  74. MattJ

    Switching to IRC at the same time as a domain change would simply reduce the migrating channel count

  75. Sam

    What Matt said.

  76. thndrbvr

    Eh, true. Maybe they should just set up bridges.

  77. MattJ

    Re. XMPP alternatives, https://cheogram.com/freedomware-muc/ is an offer that deserves some publicity

  78. Sam

    oh cool, they really don't advertise well because even as a user I keep finding new cool projects they maintain

  79. moparisthebest

    the rule is, if it's something cool you might want, cheogram probably hosts it

  80. Ge0rG

    A MUC hosted free of charge. This is revolutionary!

  81. moparisthebest

    at your own domain, what else offers that ?

  82. Ge0rG

    ah yeah, that's a good point

  83. Sam

    Yah, I might take them up on that if they can provide a way to delegate from an apex domain… the Mellium server is not great.

  84. rob

    With a bridge too

  85. moparisthebest

    they do, it's CNAME

  86. Sam

    cname can't be set on an apex domain

  87. moparisthebest

    > First, create the subdomain you will use (e.g. conference.myproject.tld) and set a CNAME to freedomware-muc.cheogram.com (your chatrooms will have addresses like discuss@conference.myproject.tld).

  88. moparisthebest

    oh, you said apex domain.... sorry I missed that part

  89. [czar]

    What are apex domains?

  90. moparisthebest

    well a SRV would work but they can't get a valid cert then...

  91. moparisthebest

    [czar], ie bob.com is an apex domain while something.bob.com is not

  92. [czar]

    Ah thanks

  93. Frank

    Aplex is 28 points in Scrabble btw.