XMPP Service Operators - 2022-02-17

  1. hoesakura

    Hello World

  2. Licaon_Kter

    hoesakura: Hi there. What brings you to this corner of the ecosystem?

  3. hoesakura

    I'd like to know if I can run a xmpp server without a TLS/SSL cert. The idea is to run the server behind a Tor's hidden service.

  4. hoesakura

    So a cert would not be needed nor desirable.

  5. croax

    hoesakura: that would probably hurts lots of XMPP clients which would refuse to connect

  6. croax

    hoesakura: that would probably hurt lots of XMPP clients which would refuse to connect

  7. Licaon_Kter

    hoesakura: you'll still need a cert, albeit a selfsigned one.

  8. moparisthebest

    hoesakura, the best thing to do there is at least run a self-signed cert, I plan to push for clients and servers to put in exceptions for .onion domains to just allow any certificate, but that's a big mountain, at the moment none will trust you, and only some have an override button

  9. moparisthebest

    it's already dangerous to put in an exception in your certificate validation code, it's much more dangerous to put in an exception to connecting with TLS

  10. rozzin

    hoesakura: Mmm..., Tor is not providing any replacement for TLS encryption, right? So you're making the *routing* confusing but still allowing for content-inspection?

  11. rozzin

    I'm actually not that familiar with how Tor actually works—does the convoluted routing actually make it *more* that `someone' ends up in a position to see the content of the packets that you're not encrypting, or is there some sort of Tor-provided encryption or something guarding against that?

  12. MattJ

    If you connect to a hidden service (.onion) it's encrypted all the way

  13. MattJ

    What you're missing is that the routing is part of it, but the packet is encrypted multiple times - each hop decrypts one layer that exposes only the info it needs. The next hop decrypts the next layer, until the last one is able to decrypt the original data

  14. rozzin

    Huh. OK, not obvious to me how trust would work there, so I'll add the topic to my reading-list.

  15. moparisthebest

    trust works in that if you are connected to x.onion, you can be ensured you are actually securely and fully e2e connected to x.onion

  16. moparisthebest

    so it's the same guarantees as TLS, except no CAs to trust, and also they can't get your IP etc

  17. moparisthebest

    so for c2s and s2s outgoing, there is no problem at all, you can accept any certificate

  18. moparisthebest

    the problem arises with s2s incoming, where you just get a connection you have no idea where it originates from, and it says "here's my totally untrusted cert" and you can't do anything with it, other than dialback :/

  19. rozzin

    Wikipedia has a decent overview, but no details on how the "public keys and introduction points" parts are actually managed / how verification works, beyond "lookup in a distributed hashtable". I guess if you're using those hashes `directly' for addressing then that probably helps a bit. There are enough distinctive words that I should be able to actually resolve a complete explanation some time 😃

  20. rozzin

    moparisthebest: yeah, though it sounds like dialback should actually be sufficient, assuming your server can actually dial back over Tor?

  21. moparisthebest

    yes dialback is completely sufficient, just annoying

  22. rozzin

    moparisthebest: annoying because of the latency, or because of having to set up and administered more components, or what?

  23. rozzin

    I'm in no way set up to be able to interoperate with onion services myself right now—I'm legitimately clueless on this front.

  24. rozzin

    Not even sure if that's something I want or want not.

  25. moparisthebest

    I just mean from both a running-code and server config/operation standpoint it's annoying

  26. moparisthebest

    like, in an ideal world, you don't want dialback at all, instead you want only cert-auth

  27. moparisthebest

    except for outgoing tor where you need dialback and only in that case it gives you cryptographic authenication

  28. moparisthebest

    what server currently supports a setup like that? I think none

  29. rozzin

    But there you go, I guess: downside of "forgo all of the more typical items and just run an onion service" --> you can only talk to other onionheads, not people like me. 😂

  30. rozzin

    If I make my XMPP services onion-friendly, will it help kill off IRC?

  31. moparisthebest

    tl;dr all the building blocks are there to seamlessly interoperate between clearnet and .onion services, and, even have clearnet server's s2s links go over .onion links which has some nice benefits, but in practice it's a minefield/pita to set up, and really needs kind of a "best practices" xep

  32. Licaon_Kter

    rozzin: > If I make my XMPP services onion-friendly, will it help kill off IRC? What's IRCs role in this?

  33. Licaon_Kter

    There's a mod_dark or mod_onion for Prosody iirc

  34. rozzin

    > What's IRCs role in this? Annoying me, mainly. Getting people in general to stop caring about it is "payment enough" to convince me to take on additional annoying XMPP admin tasks....

  35. rozzin

    Similar for some other things as well, but IRC bites me personally more often.

  36. Licaon_Kter

    You've spoken as onion and IRC were related, but you're just ranting :))

  37. rozzin

    Licaon_Kter: eh, I guess 😜️