XMPP Service Operators - 2022-07-16

  1. nuegia.net

    there's a really good nginx module for rate limiting traffic

  2. nuegia.net

    it uses a bucket based system so it works well with bursts

  3. nuegia.net

    to the operator of kalli.st, I'd like to talk with you about federating over TOR or I2P

  4. nuegia.net

    setting up our routing maps

  5. Licaon_Kter

    nuegia.net: they use prosody?

  6. nuegia.net

    I think so yes

  7. nuegia.net

    they made this, which allows federatoring both tor and i2p at the same time

  8. nuegia.net


  9. nuegia.net

    it's a fork of mod_darknet

  10. nuegia.net

    I really wish it could get upstreamed into prosody's modules

  11. Licaon_Kter


  12. moparisthebest

    nuegia.net, literally just have to ask for access to push modules

  13. [czar]

    nuegia.net: I have a hidden service: kallist4mcluuxbjnr5p2asdlmdhaos3pcrvhk3fbzmiiiftwg6zncid.onion I don't have any mapping set right now I use it (mod_deepweb) mainly to federate with tor/i2p only servers

  14. moparisthebest

    manually hard-coding associations isn't very flexible or secure, this should be auto-discoverable

  15. moparisthebest

    manually hard-coding associations isn't very scalable or secure, this should be auto-discoverable

  16. Zash

    Is it not security-awkward to associate the public service name with the hidden service?

  17. Licaon_Kter

    Zash: how?

  18. Zash

    Easier to find the physical machine if you happen to be the NSA and want to peek at the server debug logs for further metadata to feed into your social graphs?

  19. Zash

    Anyway, it was a question. I don't remember the full argument I've seen on this topic.

  20. mjk

    true, if the intention is to actually _hide_ the service and/or operator's identity, associating the hidden service address with a clearnet one defeats the purpose. But there are other nice properties of an HS

  21. Licaon_Kter

    Zash: it's in the threat model

  22. nuegia.net

    mjk, it's also about bypassing censorship

  23. nuegia.net

    nationstate internet firewalling

  24. mjk

    and also your NAT :D

  25. mjk

    and avoiding the global PKI

  26. mjk

    ...and exit nodes

  27. moparisthebest

    Zash: if it's a hidden domain, you connect directly no problem, if it's jabber.org no reason I'm aware of to hide the fact that it's also accessible over tor via an .onion domain right? Slap that in a SRV record

  28. nuegia.net

    nothing that I know how actually would use that SRV record

  29. nuegia.net


  30. moparisthebest

    nuegia.net: right, we can fix that

  31. moparisthebest

    I'll be adding support soon

  32. moparisthebest

    I mean any XMPP server will do it now if you have your server set up right

  33. moparisthebest

    ie to resolve .onion to IPs that connect transparently over tor

  34. nuegia.net

    is dnssec required for that?

  35. nuegia.net

    because if not it seems like a huge security hole

  36. nuegia.net

    anybody could spoof a dns response without dnssec and because certificate validation isn't used on onions/i2ps, somebody could just intercept all that

  37. nuegia.net

    with a self signed or fake certificate

  38. nuegia.net


  39. nuegia.net

    unless your still validating the clearnet certificate over the tunnel

  40. Zash

    if you are connecting to jabber.org, you make sure you see a certificate for jabber.org, regardless of how you connected

  41. Zash

    or, you need to establish a secure chain of trust from "jabber.org" to the connection you end up with. DNSSEC or POSH can allow for some indirection, but not much deployment for such things

  42. Zash

    https://wiki.xmpp.org/web/The_Knight 🙂

  43. moparisthebest

    Right if you are connecting to a .onion srv record you absolutely do cert verification

  44. mimi89999

    What's POSH?

  45. moparisthebest

    mimi89999, https://www.rfc-editor.org/rfc/rfc7711.html