XMPP Service Operators - 2022-05-27

  1. smooth_operator

    i use arch btw so of course i have bidi on!

  2. Licaon_Kter

    smooth_operator: > i use arch btw Be gone daemon!!!!!

  3. smooth_operator

    your loss ;)

  4. moparisthebest

    smooth_operator: https://www.moparisthebest.com/images/i-only-use-arch-linux.png

  5. smooth_operator

    lol. so i was looking at https://xmpp.net "IM Observatory". it says it's unmaintained. is there a replacement?

  6. smooth_operator

    disheartening to see (in the last 30 days): - 40% of servers support TLS 1.0 - only 65% require TLS for s2s

  7. moparisthebest

    yes but I've been forbidden from sharing the URL because it's not yet ready :D

  8. moparisthebest

    I wouldn't trust any of those stats, iirc it can't even handshake with modern TLS servers

  9. smooth_operator

    yeah i did see tls 1.2 is its limit

  10. smooth_operator

    cool well can you hurry it up ;)

  11. smooth_operator

    the replacement?

  12. Menel

    In reality, my sever connects to ever server via tls1.3 and all have valid certs. Except maybe two with tls1.2

  13. smooth_operator

    i see the same so far. but downgrade attacks are probably a thing

  14. moparisthebest

    shouldn't be, that was mitigated maybe a decade ago at this point

  15. smooth_operator

    like preventing a server from doing tls 1.2 and making it fallback to 1.0, stuff like that is possible right?

  16. smooth_operator

    assuming the servers haven't explicitly disable <tls1.2

  17. Menel

    But we have

  18. moparisthebest

    nope that shouldn't be possible since about a decade ago

  19. Menel

    Its Prosody default

  20. moparisthebest

    I think it dates from the POODLE days https://crashtest-security.com/enable-tls-fallback-scsv/

  21. moparisthebest

    ok openssl added support in 2014 so 8 years not 10 sue me :D https://www.openssl.org/news/secadv/20141015.txt

  22. MattJ


  23. MattJ

    Yes, 2014 :)

  24. smooth_operator

    hmm maybe i'm stuck in the 2010s

  25. smooth_operator

    the 35% of servers that don't require TLS over s2s still means encryption isn't as ubiquous. i don't see why an op wouldn't want it

  26. smooth_operator

    (35% of servers tested by xmpp.net over the past 30 days)

  27. moparisthebest

    But I think that's wrong, it's broken so it can only talk to servers without encryption or with very old encryption

  28. Menel

    Maybe fallback? As long as your sever requires encryption z it will never be a problem for you

  29. moparisthebest

    So it can't talk with most of the network which is very secure

  30. moparisthebest

    Yea my server has required TLS everywhere since probably 2014 and I've never met a server I couldn't talk to, except Gmail back then, but that's gone

  31. smooth_operator

    oh okay, if those stats are wrong, it would be invalid to draw conclusions, so i retract

  32. smooth_operator

    when i first got my server up (on 0.11), i thought it supported tls 1.0. then i upgraded to 0.12 and set the profile to modern, which restricts to tls 1.3 only

  33. smooth_operator

    (0.11 / 0.12 prosody)

  34. smooth_operator

    tools like the observatory, ssllabs, etc are good to verify. otherwise some researcher will find a bug and act like they are able to compromise the whole network

  35. Menel

    You can use ssllabs if you enable direct TLS on port 443. And test your sever.. Or just so it yourself better with testssl.sh

  36. smooth_operator

    yeah i get that, but i don't wanna only help myself

  37. Menel

    Others is helped with default config of ejabberd and prosody. And if one messes around with it, one should be able to check it too

  38. smooth_operator

    right. so let's make the default TLS_CHACHA20_POLY1305_SHA256, Ed25519 certs, X25519, and we can go home early today? ;)

  39. Menel

    Minus chacha that is my default

  40. moparisthebest

    keep in mind some run ~~lesser~~stable distros that won't have those things for *years*

  41. moparisthebest

    it's best to stick with mozilla TLS recommendations which are good and improve with time

  42. smooth_operator

    shoulda used arch

  43. Menel

    But I want to do s2s even with tls1.2 only servers. Its secure enough. (Otherwise you put omemo on top anyways)

  44. Menel

    And who knows if curves are more secure then rsa 4096 certs? Quantum secure etc. (Just for your angst) 😀

  45. Licaon_Kter


  46. jonas’

    for testing, you can also use https://xmpp.net/preview/. should be slightly better than the plain one, but not as polished yet

  47. Licaon_Kter

    testssl.sh can cope with xmpp iirc

  48. moparisthebest

    jonas’, possible that should just be made the default regardless, those unencrypted+tls 1.0 stats are pretty scary if you don't realize the reason

  49. jonas’

    Licaon_Kter: testssl.sh is the backend to the new xmpp.net thing

  50. Menel

    Nice, minus the old _xmppconnect

  51. Licaon_Kter

    jonas’: oooj

  52. smooth_operator

    jonas’: cool thanks!

  53. smooth_operator

    just wondering: is there like a security standards group in the xmpp community?

  54. jonas’

    not sure if there's anything dedicated to that, but the standards mailing list is sufficiently low-traffic that that would be a sensible place to discuss such topics

  55. smooth_operator

    cool i'll look that up

  56. raver

    > for testing, you can also use https://xmpp.net/preview/. should be slightly better than the plain one, but not as polished yet Nice, what's that new `_xmppconnect TXT records` for? Any advice how to setup for ejabberd available?

  57. Menel

    raver: no, its for nothing and to be removed.

  58. raver

    Menel: thx🙂✌️

  59. Menel

    https://xmpp.org/extensions/xep-0156.html > A previous version of this XEP defined a DNS method to look up this info using a TXT _xmppconnect record, this was insecure and has been removed.

  60. Menel

    We can re-add it in the world where dnssec is mandatory I suppose?

  61. raver

    Menel, do you know why the altconnect endpoints results in error, allthough I'm successfully using bosh/websocket with converse.js?

  62. raver

    Menel, https://xmpp.net/preview/scan/result/72

  63. Menel

    No, can only say its a preview. If you can connect from https://m.conversejs.org/ To *your* server, then it works in reality

  64. Menel

    Your selfhosted conversejs likely doesn't count, since you entered the endpoint in the config yourself

  65. Licaon_Kter

    Menel: iirc it should autodetect if you don't mention it

  66. raver

    Menel, yep works

  67. raver

    Menel, but with some erros: WebSocket connection to 'wss://xmpp.rimkus.it:46786/ws' failed: Data frame received after close

  68. raver

    ah I see the error in the chat window of this muc

  69. raver

    Test from Converse.js official

  70. kuba_


  71. kuba_

    sorry for the offtop but i was reffering to one person from my IRL as raver-menel :D

  72. kuba_

    just yesterday