XMPP Service Operators - 2021-05-19

Bosh and websocket now available

But no authorized domains yet or alt connect info via well known, after dinner 🤓

That's only really needed for things like conversejs

Unless, is it possible to specify an i2p or onion address in a alt-connect method?

Not sure, but I wanted to let people use mov.im or whatever if they want.

I'll maybe add converse.js on the domain for convenience too

There's also https://jsxc.org

I think Converse was just easier as it has a module, also supports more features I think

Also mov.im seems to work fine without cors so maybe it doesn't require bosh or websockets

Brb

Nice, works well. Oh I have to allow all cors domains for the C compliance thing to pass

Don't do that

Cors is a good security protection

Just allow the domain exception you need

Oh, but if you want it completely open, i guess

I don't really, I was thinking just a few public web clients. I just didn't realize the compliance suite wants it wide open

24ish hours until I release the tool that can crash prosody's that haven't mitigated https://prosody.im/security/advisory_20210512/ if you haven't done so, please do it now

moparisthebest: i don't think much will happen

The 1 billion laughs attack has been around for quite a while

As a generic cve

Not one specificly tied to xmpp, but xml

that one doesn't work in XMPP at all, or shouldn't anyway

rob, that movim thing is pretty cool! thx for mentioning it

rob: movim, converse, jsxc....why let your users give to random sites their creds to your host? Host your own...

MattJ: is docker autoupdating like prosody from distro repos?

> Licaon_Kter schrieb: > Host your own... Yes, that's really recommended, especially when running an own xmpp server ✏

moparisthebest, historically a bunch of servers were susceptible to billion laughs :)

should be impossible with the new standard

thankfully

Licaon_Kter, no, Snikket doesn't auto-update, but updating is easy and it has update notifications

> rob: movim, converse, jsxc....why let your users give to random sites their creds to your host? > Host your own... True, so far it's just self hosted Converse

Was there an office hours talk yesterday?

no

How do you get a perfect cipher score on xmpp.net? And do I need to care?

no idea, no

it’s old

Haha

Ok

I just like everything full, all the green checks or dots or bars etc

though still you should get 100 for all ?

everyone does

> though still you should get 100 for all ? No I've never had greater than 90 for cipher

> everyone does It's all just a game

mh I have 100 since very long actually

Give me achievements lol

Which server?

or always. But I sat up the ciphers, etc. myself

prosody

> rob schrieb: > Give me achievements lol > Which server? you?

🏅

😅

rob, you get a 💯 if you don’t blindly follow every check list / achievement score :)

xmpp.net is pretty old I think ✏

Wasn't xmpp.net hijacked somewhere along the line?

Or was that another xmpp checker site?

I don’t know of any hijacking

xmpp.net wasn't, though it was down for a while due to a server failure

are there any new tests?

I have something in the pipeline, but also lots of other stuff :)

:D

> 🏅 Thank you, thank you. First I want to thank my dog, for always supporting me

> are there any new tests? cryptcheck.fr

That server has its time wrong

2 years off?

You just don't get 100 if you allow less then aes256.. But its just CPU waste and aes128 is totally ok. I don't desire 100%

> cryptcheck.fr I got an E

That one doesn't like DH, even if its a very strong one, I don't know of any security issue with that

Ah well, my server works so w/e 🤓

IRC but seems important. Freenode being taken over, volunteer staff moving & forming Libera.Chat (why it isn't XMPP this time I'm not sure.) https://lwn.net/Articles/856543/

It's supposed to be a straight up move. Users should be able to just change a server name in their config and keep using it exactly like they were, it wouldn't make much sense to learn to setup a whole new thing like XMPP.

Switching to IRC at the same time as a domain change would simply reduce the migrating channel count

What Matt said.

Eh, true. Maybe they should just set up bridges.

Re. XMPP alternatives, https://cheogram.com/freedomware-muc/ is an offer that deserves some publicity

oh cool, they really don't advertise well because even as a user I keep finding new cool projects they maintain

the rule is, if it's something cool you might want, cheogram probably hosts it

A MUC hosted free of charge. This is revolutionary!

at your own domain, what else offers that ?

ah yeah, that's a good point

Yah, I might take them up on that if they can provide a way to delegate from an apex domain… the Mellium server is not great.

With a bridge too

they do, it's CNAME

cname can't be set on an apex domain

> First, create the subdomain you will use (e.g. conference.myproject.tld) and set a CNAME to freedomware-muc.cheogram.com (your chatrooms will have addresses like discuss@conference.myproject.tld).

oh, you said apex domain.... sorry I missed that part

What are apex domains?

well a SRV would work but they can't get a valid cert then...

[czar], ie bob.com is an apex domain while something.bob.com is not

Ah thanks

Aplex is 28 points in Scrabble btw.