lol. so i was looking at https://xmpp.net "IM Observatory". it says it's unmaintained. is there a replacement?
smooth_operator
disheartening to see (in the last 30 days):
- 40% of servers support TLS 1.0
- only 65% require TLS for s2s
moparisthebest
yes but I've been forbidden from sharing the URL because it's not yet ready :D
moparisthebest
I wouldn't trust any of those stats, iirc it can't even handshake with modern TLS servers
smooth_operator
yeah i did see tls 1.2 is its limit
Ian Blashas left
smooth_operator
cool well can you hurry it up ;)
smooth_operator
the replacement?
Katherinehas left
Katherinehas joined
Katherinehas left
Menel
In reality, my sever connects to ever server via tls1.3 and all have valid certs.
Except maybe two with tls1.2
Ian Blashas joined
Katherinehas joined
Tyler B. Joneshas left
Tyler B. Joneshas joined
smooth_operator
i see the same so far. but downgrade attacks are probably a thing
etaurushas left
etaurushas joined
Tyler B. Joneshas left
Tyler B. Joneshas joined
moparisthebest
shouldn't be, that was mitigated maybe a decade ago at this point
Tyler B. Joneshas left
Tyler B. Joneshas joined
jakobhas left
smooth_operator
like preventing a server from doing tls 1.2 and making it fallback to 1.0, stuff like that is possible right?
smooth_operator
assuming the servers haven't explicitly disable <tls1.2
MSavoritias (she,they)has left
jl4has left
Menel
But we have
MSavoritias (she,they)has joined
jakobhas joined
moparisthebest
nope that shouldn't be possible since about a decade ago
Menel
Its Prosody default
moparisthebest
I think it dates from the POODLE days https://crashtest-security.com/enable-tls-fallback-scsv/
moparisthebest
ok openssl added support in 2014 so 8 years not 10 sue me :D https://www.openssl.org/news/secadv/20141015.txt
raverhas joined
patascahas joined
MattJ
https://blog.prosody.im/prosody-0-9-6-released/
MattJ
Yes, 2014 :)
infohas left
raverhas left
test4dhas joined
infohas joined
belonghas left
belonghas joined
jl4has joined
smooth_operatorhas left
smooth_operatorhas joined
test4dhas left
test4dhas joined
Wojtekhas left
WojtekIMhas left
ricciohas left
smooth_operator
hmm maybe i'm stuck in the 2010s
Ian Blashas left
antranigvhas left
dcuba.ar adminhas left
antranigvhas joined
barlashas joined
inkyhas left
raverhas joined
Huxxhas left
Huxxhas joined
ricciohas joined
smooth_operator
the 35% of servers that don't require TLS over s2s still means encryption isn't as ubiquous. i don't see why an op wouldn't want it
infohas left
smooth_operator
(35% of servers tested by xmpp.net over the past 30 days)
moparisthebest
But I think that's wrong, it's broken so it can only talk to servers without encryption or with very old encryption
Menel
Maybe fallback? As long as your sever requires encryption z it will never be a problem for you
moparisthebest
So it can't talk with most of the network which is very secure
mettahas left
mettahas joined
moparisthebest
Yea my server has required TLS everywhere since probably 2014 and I've never met a server I couldn't talk to, except Gmail back then, but that's gone
test4dhas left
patascahas left
surenhas left
smooth_operator
oh okay, if those stats are wrong, it would be invalid to draw conclusions, so i retract
belonghas left
belonghas joined
surenhas joined
Bjarkanhas left
jchas joined
Tyler B. Joneshas left
Tyler B. Joneshas joined
smooth_operator
when i first got my server up (on 0.11), i thought it supported tls 1.0. then i upgraded to 0.12 and set the profile to modern, which restricts to tls 1.3 only
jakobhas left
jakobhas joined
smooth_operator
(0.11 / 0.12 prosody)
Tyler B. Joneshas left
Tyler B. Joneshas joined
Bjarkanhas joined
Wojtekhas joined
WojtekIMhas joined
infohas joined
smooth_operator
tools like the observatory, ssllabs, etc are good to verify. otherwise some researcher will find a bug and act like they are able to compromise the whole network
Menel
You can use ssllabs if you enable direct TLS on port 443.
And test your sever..
Or just so it yourself better with testssl.sh
大明白20210720has left
smooth_operator
yeah i get that, but i don't wanna only help myself
Bjarkanhas left
Menel
Others is helped with default config of ejabberd and prosody.
And if one messes around with it, one should be able to check it too
infohas left
patascahas joined
smooth_operator
right. so let's make the default TLS_CHACHA20_POLY1305_SHA256, Ed25519 certs, X25519, and we can go home early today? ;)
neoxhas left
surenhas left
surenhas joined
Menel
Minus chacha that is my default
moparisthebest
keep in mind some run ~~lesser~~stable distros that won't have those things for *years*
djorzhas left
infohas joined
moparisthebest
it's best to stick with mozilla TLS recommendations which are good and improve with time
smooth_operator
shoulda used arch
Bjarkanhas joined
Menel
But I want to do s2s even with tls1.2 only servers.
Its secure enough.
(Otherwise you put omemo on top anyways)
neoxhas joined
Menel
And who knows if curves are more secure then rsa 4096 certs?
Quantum secure etc. (Just for your angst) 😀
opensourcedhas left
Licaon_Kter
Ecdscadsa12345
opensourcedhas joined
Bjarkanhas left
jonas’
for testing, you can also use https://xmpp.net/preview/. should be slightly better than the plain one, but not as polished yet
barlashas left
Licaon_Kter
testssl.sh can cope with xmpp iirc
Ian Blashas joined
moparisthebest
jonas’, possible that should just be made the default regardless, those unencrypted+tls 1.0 stats are pretty scary if you don't realize the reason
infohas left
djorzhas joined
jonas’
Licaon_Kter: testssl.sh is the backend to the new xmpp.net thing
Menel
Nice, minus the old _xmppconnect
emushas left
barlashas joined
emushas joined
Ian Blashas left
emushas left
Bjarkanhas joined
Licaon_Kter
jonas’: oooj
emushas joined
barlashas left
barlashas joined
infohas joined
Bjarkanhas left
Tyler B. Joneshas left
Tyler B. Joneshas joined
Tyler B. Joneshas left
Tyler B. Joneshas joined
barlashas left
smooth_operator
jonas’: cool thanks!
ilmaisin_has left
barlashas joined
Tyler B. Joneshas left
Tyler B. Joneshas joined
surenhas left
surenhas joined
smooth_operator
just wondering: is there like a security standards group in the xmpp community?
infohas left
jonas’
not sure if there's anything dedicated to that, but the standards mailing list is sufficiently low-traffic that that would be a sensible place to discuss such topics
barlashas left
smooth_operator
cool i'll look that up
inkyhas joined
404.cityhas joined
infohas joined
Ian Blashas joined
barlashas joined
*IM*has joined
jl4has left
404.cityhas left
sanderhas left
sanderhas joined
surenhas left
surenhas joined
bookadouhas left
bookadouhas joined
Menelhas left
Menelhas joined
jl4has joined
patascahas left
Menelhas left
neoxhas left
Calvinhas joined
Menelhas joined
surenhas left
surenhas joined
patascahas joined
mettahas left
raverhas left
barlashas left
test1has left
test1has joined
Ian Blashas left
test1has left
test1has joined
Calvinhas left
barlashas joined
raverhas joined
jl4has left
surenhas left
surenhas joined
jl4has joined
neoxhas joined
*IM*has left
Sam@!has left
Sam@!has joined
surenhas left
surenhas joined
barlashas left
'has left
Tyler B. Joneshas left
'has joined
barlashas joined
Samhas left
Samhas joined
croaxhas left
croaxhas joined
patascahas left
barlashas left
patascahas joined
Tyler B. Joneshas joined
surenhas left
surenhas joined
jl4has left
barlashas joined
*IM*has joined
Ian Blashas joined
greenkeeperhas left
barlashas left
Samhas left
greenkeeperhas joined
Samhas joined
djorzhas left
Bjarkanhas joined
balabol.imhas left
neoxhas left
barlashas joined
neoxhas joined
william.chatnerhas joined
John has left
kr1phas left
Tyler B. Joneshas left
Tyler B. Joneshas joined
patascahas left
balabol.imhas joined
MSavoritias (she,they)has left
Calvinhas joined
patascahas joined
inkyhas left
surenhas left
surenhas joined
Wojtekhas left
WojtekIMhas left
jl4has joined
*IM*has left
froghas left
MSavoritias (she,they)has joined
Calvinhas left
Bjarkanhas left
croaxhas left
croaxhas joined
surenhas left
surenhas joined
test1has left
antranigvhas left
kahlbhas left
Bjarkanhas joined
kahlbhas joined
myjabber1337has left
myjabber1337has joined
Sam@!has left
surenhas left
surenhas joined
Sam@!has joined
raver
> for testing, you can also use https://xmpp.net/preview/. should be slightly better than the plain one, but not as polished yet
Nice, what's that new `_xmppconnect TXT records` for? Any advice how to setup for ejabberd available?
Ian Blashas left
konxhas left
Samhas left
Ian Blashas joined
karmehas left
andrey.utkinhas left
andrey.utkinhas joined
Bjarkanhas left
Menel
raver: no, its for nothing and to be removed.
Samhas joined
Ivan A.has left
Bjarkanhas joined
antranigvhas joined
mnn74mnn74has left
Ivan A.has joined
raver
Menel: thx🙂✌️
infohas left
Menel
https://xmpp.org/extensions/xep-0156.html
> A previous version of this XEP defined a DNS method to look up this info using a TXT _xmppconnect record, this was insecure and has been removed.
barlashas left
barlashas joined
jchas left
Menel
We can re-add it in the world where dnssec is mandatory I suppose?
konxhas joined
Katherinehas left
Katherinehas joined
opensourcedhas left
Alastair Hoggehas left
insanityhas left
RayTutuhas joined
Bjarkanhas left
kahlbhas left
Bjarkanhas joined
kahlbhas joined
opensourcedhas joined
mnn74mnn74has joined
surenhas left
surenhas joined
Bjarkanhas left
antranigvhas left
Bjarkanhas joined
Samhas left
Samhas joined
kahlbhas left
greenkeeperhas left
greenkeeperhas joined
undefinedhas left
kahlbhas joined
Samhas left
Bjarkanhas left
test4dhas joined
surenhas left
Samhas joined
surenhas joined
antranigvhas joined
inkyhas joined
sonnyhas left
sonnyhas joined
Bjarkanhas joined
infohas joined
mnn74mnn74has left
smooth_operatorhas left
smooth_operatorhas joined
myjabber1337has left
myjabber1337has joined
surenhas left
surenhas joined
Bjarkanhas left
patascahas left
Ingolfhas left
surenhas left
patascahas joined
surenhas joined
jl4has left
Bjarkanhas joined
jakobhas left
jakobhas joined
albertohas left
raver
Menel, do you know why the altconnect endpoints results in error, allthough I'm successfully using bosh/websocket with converse.js?
raver
Menel, https://xmpp.net/preview/scan/result/72
Sam@!has left
Bjarkanhas left
balabol.imhas left
homebeachhas left
homebeachhas joined
Menel
No, can only say its a preview.
If you can connect from https://m.conversejs.org/
To *your* server, then it works in reality
patascahas left
Menel
Your selfhosted conversejs likely doesn't count, since you entered the endpoint in the config yourself
belonghas left
balabol.imhas joined
test1has joined
test1has left
test1has joined
belonghas joined
patascahas joined
surenhas left
surenhas joined
Licaon_Kter
Menel: iirc it should autodetect if you don't mention it
infohas left
jakobhas left
jakobhas joined
jl4has joined
Bjarkanhas joined
jl4has left
jl4has joined
karmehas joined
*IM*has joined
raver
Menel, yep works
Bjarkanhas left
jl4has left
jl4has joined
raver
Menel, but with some erros: WebSocket connection to 'wss://xmpp.rimkus.it:46786/ws' failed: Data frame received after close
purhas joined
raver
ah I see the error in the chat window of this muc
raver
Test from Converse.js official
Bjarkanhas joined
albertohas joined
surenhas left
surenhas joined
Katherinehas left
test1has left
test1has joined
surenhas left
surenhas joined
jl4has left
Bjarkanhas left
froghas joined
smooth_operatorhas left
Bjarkanhas joined
surenhas left
surenhas joined
opensourcedhas left
*IM*has left
croaxhas left
croaxhas joined
djorzhas joined
Ingolfhas joined
junaidhas left
junaidhas joined
'has left
sonnyhas left
'has joined
sonnyhas joined
patascahas left
opensourcedhas joined
infohas joined
Bjarkanhas left
test1has left
surenhas left
surenhas joined
test1has joined
surenhas left
surenhas joined
patascahas joined
Bjarkanhas joined
raghavgururajanhas left
surenhas left
surenhas joined
kahlbhas left
Bjarkanhas left
karlhas left
*IM*has joined
kahlbhas joined
*IM*has left
undefinedhas joined
patascahas left
surenhas left
surenhas joined
patascahas joined
kuba_
hahahahaha
RayTutuhas left
beanhas joined
kuba_
sorry for the offtop but i was reffering to one person from my IRL as raver-menel :D