XMPP Service Operators - 2022-05-27

i use arch btw so of course i have bidi on!

smooth_operator: > i use arch btw Be gone daemon!!!!!

your loss ;)

smooth_operator: https://www.moparisthebest.com/images/i-only-use-arch-linux.png

lol. so i was looking at https://xmpp.net "IM Observatory". it says it's unmaintained. is there a replacement?

disheartening to see (in the last 30 days): - 40% of servers support TLS 1.0 - only 65% require TLS for s2s

yes but I've been forbidden from sharing the URL because it's not yet ready :D

I wouldn't trust any of those stats, iirc it can't even handshake with modern TLS servers

yeah i did see tls 1.2 is its limit

cool well can you hurry it up ;)

the replacement?

In reality, my sever connects to ever server via tls1.3 and all have valid certs. Except maybe two with tls1.2

i see the same so far. but downgrade attacks are probably a thing

shouldn't be, that was mitigated maybe a decade ago at this point

like preventing a server from doing tls 1.2 and making it fallback to 1.0, stuff like that is possible right?

assuming the servers haven't explicitly disable <tls1.2

But we have

nope that shouldn't be possible since about a decade ago

Its Prosody default

I think it dates from the POODLE days https://crashtest-security.com/enable-tls-fallback-scsv/

ok openssl added support in 2014 so 8 years not 10 sue me :D https://www.openssl.org/news/secadv/20141015.txt

https://blog.prosody.im/prosody-0-9-6-released/

Yes, 2014 :)

hmm maybe i'm stuck in the 2010s

the 35% of servers that don't require TLS over s2s still means encryption isn't as ubiquous. i don't see why an op wouldn't want it

(35% of servers tested by xmpp.net over the past 30 days)

But I think that's wrong, it's broken so it can only talk to servers without encryption or with very old encryption

Maybe fallback? As long as your sever requires encryption z it will never be a problem for you

So it can't talk with most of the network which is very secure

Yea my server has required TLS everywhere since probably 2014 and I've never met a server I couldn't talk to, except Gmail back then, but that's gone

oh okay, if those stats are wrong, it would be invalid to draw conclusions, so i retract

when i first got my server up (on 0.11), i thought it supported tls 1.0. then i upgraded to 0.12 and set the profile to modern, which restricts to tls 1.3 only

(0.11 / 0.12 prosody)

tools like the observatory, ssllabs, etc are good to verify. otherwise some researcher will find a bug and act like they are able to compromise the whole network

You can use ssllabs if you enable direct TLS on port 443. And test your sever.. Or just so it yourself better with testssl.sh

yeah i get that, but i don't wanna only help myself

Others is helped with default config of ejabberd and prosody. And if one messes around with it, one should be able to check it too

right. so let's make the default TLS_CHACHA20_POLY1305_SHA256, Ed25519 certs, X25519, and we can go home early today? ;)

Minus chacha that is my default

keep in mind some run ~~lesser~~stable distros that won't have those things for *years*

it's best to stick with mozilla TLS recommendations which are good and improve with time

shoulda used arch

But I want to do s2s even with tls1.2 only servers. Its secure enough. (Otherwise you put omemo on top anyways)

And who knows if curves are more secure then rsa 4096 certs? Quantum secure etc. (Just for your angst) 😀

Ecdscadsa12345

for testing, you can also use https://xmpp.net/preview/. should be slightly better than the plain one, but not as polished yet

testssl.sh can cope with xmpp iirc

jonas’, possible that should just be made the default regardless, those unencrypted+tls 1.0 stats are pretty scary if you don't realize the reason

Licaon_Kter: testssl.sh is the backend to the new xmpp.net thing

Nice, minus the old _xmppconnect

jonas’: oooj

jonas’: cool thanks!

just wondering: is there like a security standards group in the xmpp community?

not sure if there's anything dedicated to that, but the standards mailing list is sufficiently low-traffic that that would be a sensible place to discuss such topics

cool i'll look that up

> for testing, you can also use https://xmpp.net/preview/. should be slightly better than the plain one, but not as polished yet Nice, what's that new `_xmppconnect TXT records` for? Any advice how to setup for ejabberd available?

raver: no, its for nothing and to be removed.

Menel: thx🙂✌️

https://xmpp.org/extensions/xep-0156.html > A previous version of this XEP defined a DNS method to look up this info using a TXT _xmppconnect record, this was insecure and has been removed.

We can re-add it in the world where dnssec is mandatory I suppose?

Menel, do you know why the altconnect endpoints results in error, allthough I'm successfully using bosh/websocket with converse.js?

Menel, https://xmpp.net/preview/scan/result/72

No, can only say its a preview. If you can connect from https://m.conversejs.org/ To *your* server, then it works in reality

Your selfhosted conversejs likely doesn't count, since you entered the endpoint in the config yourself

Menel: iirc it should autodetect if you don't mention it

Menel, yep works

Menel, but with some erros: WebSocket connection to 'wss://xmpp.rimkus.it:46786/ws' failed: Data frame received after close

ah I see the error in the chat window of this muc

Test from Converse.js official

hahahahaha

sorry for the offtop but i was reffering to one person from my IRL as raver-menel :D

just yesterday