XMPP Service Operators - 2024-07-08


  1. nuegia.net

    Polarian, your offtopic

  2. Polarian

    nuegia.net, Alright im putting my foot down now, you are not an administrator, you do not get to moderate me, I do not need to explain myself to you. You have told me what to do repeatedly in this channel over the past week and I am fed up of it. For those who feel its offtopic, I think talking about how a server software (which is used by operators) should support a security feature, which in my opinion, would be very much ontopic for this channel seen as it benefits operators. Rigid topic rules benefit nobody, if you can't have a productive conversation out of fear of a stray offtopic comment, then we would get nowhere. Again, leave me alone! (+1 for ignore/block feature within MUCs on dino, almost all IRC clients have it, yet almost no XMPP clients do... its how you deal with situations like this!)

  3. drakos

    lmao

  4. MattJ

    FWIW I don't think discussion of DANE support on the network or in XMPP servers is off-topic for a server operators channel.

    ๐Ÿ‘† 1
  5. jonasโ€™

    Meta post from moderators: We have now lifted last week's ban on the participant 'worlio.com'. This is because, after a review, the moderator team concluded that a permanent ban would not be appropriate and the ban duration has now been sufficient. Also, upon closer review of last week's discussion, it is clear to the moderators that this participant was not the only one that crossed the line regarding what is acceptable behaviour in this venue (or indeed any venue hosted by the XSF). We do this with the expectation that they, and everyone here, will abide by the channel guidelines and the XSF's Code of Conduct. Please do not engage in off-topic discussions/debates, which can often end up in the kind of heated discussions we saw last week. Instead, notify a moderator (in the channel or in private) if you think something deserves our attention.

  6. Polarian

    > Meta post from moderators: > > We have now lifted last week's ban on the participant 'worlio.com'. This is because, after a review, the moderator team concluded that a permanent ban would not be appropriate and the ban duration has now been sufficient. > > Also, upon closer review of last week's discussion, it is clear to the moderators that this participant was not the only one that crossed the line regarding what is acceptable behaviour in this venue (or indeed any venue hosted by the XSF). > > We do this with the expectation that they, and everyone here, will abide by the channel guidelines and the XSF's Code of Conduct. > > Please do not engage in off-topic discussions/debates, which can often end up in the kind of heated discussions we saw last week. Instead, notify a moderator (in the channel or in private) if you think something deserves our attention. channel PMs are disabled no? how do we contact moderators in private... could you post your JIDs?

  7. MattJ

    They are disabled between participants, you can PM moderators (and they can PM you)

  8. Polarian

    > They are disabled between participants, you can PM moderators (and they can PM you) didn't know that thanks

  9. Polarian

    https://http.icebound.dev/httpfileupload/I4i4qra07vrf3DOgiO_yrc-lHGQ/Screenshot_20240708-144409_monocles%20chat.png

  10. Polarian

    hrm...

  11. moparisthebest

    I can confirm^ so that's either a Cheogram bug or a room config bug, I don't have another client handy to check

  12. Polarian

    > I can confirm^ so that's either a Cheogram bug or a room config bug, I don't have another client handy to check I'm using monocles

  13. MattJ

    I'll look into that

    ๐Ÿ‘ 1
  14. Polarian

    > I'll look into that ๐Ÿ‘

  15. Polarian

    jonasโ€™: PM me when you get a chance please

  16. edhelas

    > They are disabled between participants, you can PM moderators (and they can PM you) Do you know which metadata stays that ?

  17. MattJ

    edhelas, XEP-0045 does not allow expressing this case

  18. edhelas

    So how does the client above knows that ? ๐Ÿค”

  19. MattJ

    jdev :)

  20. Polarian

    > edhelas, XEP-0045 does not allow expressing this case sounds like an idea for a new XEP revision ๐Ÿ˜‰

  21. luca

    Anyway on the topic of DANE enforcement. Should I enable it? Would it just cause more headaches for me and my users? Does anyone have any statistics on how many servers do publish the proper TLSA records?

  22. Menel

    It would certainly make more headaches for you. Like on prosody it means if there is an TLSA record it will honor it. So if it's wrong your server will refuse to connect. It's always more headache with more security

  23. Menel

    I can generate the statistoc on how my server sees the network, not very objective

  24. Menel

    I can generate the statistic on how my server sees the network, not very objective

  25. Polarian

    Menel: if its a headache why do you enable it

  26. Polarian

    also why not fallback to CA authentication?

  27. Menel

    Security of course Polarian, you don't get any headache if you just disable any security at all. That was my point

  28. Menel

    Fallback on invalid makes it useless

  29. Menel

    At least in my sever list I could bring the servers with wrong records to update them or delete them, currently everything works

  30. Polarian

    > Fallback on invalid makes it useless validate both then?

  31. luca

    Menel: Even if not objective, I would be interrested on such numbers anyway. Like how many servers implement TLSA correctly or even a prececntage, whatever you feel confortable sharing

  32. Menel

    From 54 outgoing connections Its 5 with Dane

  33. Polarian

    Menel: what server are you?

  34. Polarian

    siskin?

  35. Polarian

    (I forgot)

  36. Menel

    Not bad >9%

  37. luca

    Not very secure

  38. Polarian

    > Not very secure CA isn't exactly insecure though...

  39. Polarian

    DANE is an improvement... not exactly a security patch...

  40. Menel

    > Not very secure Conpare to http protocol people, Its infinite more

  41. Polarian

    also a mitm is difficult without gaining access to DNS

  42. luca

    Sorry, that was just bad phrasing on my part

  43. Polarian

    it would need to be a hop along the journey

  44. luca

    What I meant was that with those numbers it's not really practical to enable strict enforcement. Even at 50% I would have some doubts

  45. Polarian

    so yes in theory CA being compromised or malicious ruins the entire security... but in practise using this as an exploit would only work in specific circumstances

  46. Polarian

    > What I meant was that with those numbers it's not really practical to enable strict enforcement. Even at 50% I would have some doubts true

  47. moparisthebest

    luca: wait what? You can enable strict enforcement at 1 domain having it enabled

  48. Polarian

    but that's like saying not everyone supports TLSv1.3 so let's just use TLSv1.2

  49. Polarian

    you should support the newer standards, and encourage adoption, but forcing it causes issues, especially in federated protocols... (some email servers STILL don't support TLS)

  50. luca

    Is there a way to encourage DANE in this case? Other than setting it up for your server and scolding others who don't?

  51. moparisthebest

    Publishing a tlsa record is opt in by the domain, so if they publish one, you can enforce it on their domain, because they told you to

  52. moparisthebest

    Set it up for your server, turn it on, set up https://certwatch.xmpp.net/ all this "encourages" it

  53. Menel

    I think there is a misunderstanding, p prosody only enforces it if tlsa is published. It will use CA validation on all other domains.

  54. moparisthebest

    ^

  55. Menel

    Its like use tls1.3 if possible but allow 1.2 for now

  56. Polarian

    without a licencing war... I got to ask... why is most XMPP software seem to be AGPL/GPL... is this something which XSF encourages? certwatch is AGPL hence why I'm asking... (slightly off topic apologies)

  57. Polarian

    > Its like use tls1.3 if possible but allow 1.2 for now 1.2 still has some strong cyphers though... no point removing what works... 1.3 should be used though

  58. moparisthebest

    Or don't because TLS 1.3 is supported by every currently supported system, anything updated in the last 5 years, and 1.2 has rather serious problems

  59. Polarian

    > I think there is a misunderstanding, p prosody only enforces it if tlsa is published. It will use CA validation on all other domains. hmmm... any benefit mixing DANE with CA?

  60. moparisthebest

    Polarian: sadly most is not AGPL but indeed offtopic

  61. Polarian

    > Polarian: sadly most is not AGPL but indeed offtopic so its not encouraged or discouraged then... question answered. thanks.

  62. luca

    About TLS 1.3, I set my server's tls_profile to "modern" which should require TLS 1.3, and I haven't experienced any issues. Though I don't stray from the beaten path

  63. moparisthebest

    >> I think there is a misunderstanding, p prosody only enforces it if tlsa is published. It will use CA validation on all other domains. > hmmm... any benefit mixing DANE with CA? Yes, you'll need both for now but that's fine, Dane supporting systems will ignore the ca stuff which is only for legacy non-dane-supporting software

  64. Polarian

    >> hmmm... any benefit mixing DANE with CA? > Yes, you'll need both for now but that's fine, Dane supporting systems will ignore the ca stuff which is only for legacy non-dane-supporting software but surely validating both would be useful?

  65. Menel

    Mentioning tls Version was meant as analogy to use DANE but fallback to ca. Same as people use tls1.3 but allow(ed) fallback to tls1.2 nothing more

  66. Polarian

    CA will still be secure if the DNSSEC key is compromised and DANE is broken

  67. Polarian

    if CA is broken, DANE will be valid still

  68. Polarian

    a bit like mixing SPF and DKIM

  69. moparisthebest

    Polarian: no need to validate both, tlsa/Dane is the domain securely telling you to only validate it that way

  70. Menel

    If DANE is wrong you have to assume a compromise, regardless what can sais

  71. Menel

    If DANE is wrong you have to assume a compromise, regardless what ca sais

  72. luca

    Ok, but in the tls analogy, after a while people should/will move to tls 1.3, to the point where you can disallow everything that came before it

  73. Menel

    That's to sole point of it

  74. luca

    Is that what will happen with DANE as well?

  75. Menel

    luca: it's what DANE people want

  76. Menel

    Not what will just happen.

  77. moparisthebest

    luca: hopefully, but a major blocker is some legacy tlds don't support Dane yet, like .im

  78. Polarian

    > If DANE is wrong you have to assume a compromise, regardless what ca sais I forgot that CA is authenticated by DNS challenges (or http which relies on A record) so DANE is superior full stop...

  79. Menel

    We still have http only websites

  80. MSavoritias (fae,ve)

    (meanwhile ipv6 people crying in the corner) :P

  81. moparisthebest

    luca: hopefully, but a major blocker is some legacy tlds don't support DNSSEC yet, like .im

  82. Polarian

    > luca: hopefully, but a major blocker is some legacy tlds don't support DNSSEC yet, like .im another major blocker is registrars often make you pay for DNSSEC... and TLSA... and your approach of "just use x registrar" won't work for the masses

  83. Polarian

    CA if supported universally

  84. Polarian

    DANE is seen by registrars as this extra security feature which you pay for under a "security" plan... I have seen many registrars do it

  85. moparisthebest

    >> luca: hopefully, but a major blocker is some legacy tlds don't support DNSSEC yet, like .im > another major blocker is registrars often make you pay for DNSSEC... and TLSA... and your approach of "just use x registrar" won't work for the masses Not common at all, never seen it, only heard it from you about yours :)

  86. Polarian

    CA is supported universally

  87. Polarian

    >> another major blocker is registrars often make you pay for DNSSEC... and TLSA... and your approach of "just use x registrar" won't work for the masses > Not common at all, never seen it, only heard it from you about yours :) woah maybe this is a UK thing?

  88. Polarian

    > (meanwhile ipv6 people crying in the corner) :P IPv6 has major blockers too :P

  89. moparisthebest

    Also do you mean DNSSEC instead of Dane?

  90. moparisthebest

    It'd be really strange if they supported DNSSEC but made you pay for 1 type of record lol

  91. Polarian

    1. people don't wish to support it if they got lots of IPv4 2. A lot of ISPs don't support it, and XMPP seems to be filled with self hosted servers

  92. Polarian

    > It'd be really strange if they supported DNSSEC but made you pay for 1 type of record lol AFAIK godaddy makes you pay per DNSSEC signed record

  93. Polarian

    also DANE relies on trusting your authoritative DNS server... or self hosting... and port 53 (like port 25) is regulated... many providers will not allow it

  94. Polarian

    so its not flawless either :)

  95. moparisthebest

    Lol, all I can say is stop using bad/abusive registrars then, plenty of good choices

  96. Polarian

    > Lol, all I can say is stop using bad/abusive registrars then, plenty of good choices you get what you are given sometimes in life...

  97. moparisthebest

    Doesn't require port 53 or whatever

  98. Polarian

    besides I have 3 domains on 3 registrars... godaddy is bad for DNSSEC, namecheap paywall DNS so you can't autorenew certs without depositing ยฃ50/yr (although I think they changed this now), and mythic beasts is amazing... and pretty cheap too

  99. luca

    Ok, so it sounds like DANE (and IPv6 to some extent) are difficult because they require either third party support or hardware support, and not just a `apt upgrade` from the server owner, making it pretty difficult

  100. moparisthebest

    luca: don't confuse them, Dane is trivial for anyone to enable support for validating other domains with it, it's a config option, everyone should 100% turn it on

  101. moparisthebest

    Enabling Dane validation of your own domain requires you to be using a tld and registrar that supports DNSSEC, that's all

  102. Kris

    is there somewhere a guide for dummies on that?

  103. moparisthebest

    Which one

  104. Kris

    I am asking you :)

  105. Polarian

    > is there somewhere a guide for dummies on that? I need a guide for dummies ๐Ÿ˜ฎโ€๐Ÿ’จ

  106. luca

    Are you talking about DANE validation vs DANE support? Like checking TLSA records vs adding TLSA records?

  107. Polarian

    > luca: don't confuse them, Dane is trivial for anyone to enable support for validating other domains with it, it's a config option, everyone should 100% turn it on Dane is trivial IF you got DNSSEC signing setup

  108. Polarian

    and IF your TLD supports DNSSEC

  109. luca

    Ok I think there are a lot of terms here I don't understand. In particular DNSSEC. Which I thought was a magic button in cloudflare (or whatever)

  110. unix.dog

    Polarian, they mean it's trivial to enable validation of DANE records

  111. moparisthebest

    They are 2 entirely independent things: 1. Enabling your server to validate Dane for other servers it connects with 2. Publishing tlsa records for your domain so it can be validated by Dane 100% of everyone can do #1, #2 has requirements

  112. unix.dog

    ^

  113. Polarian

    > They are 2 entirely independent things: > 1. Enabling your server to validate Dane for other servers it connects with > 2. Publishing tlsa records for your domain so it can be validated by Dane > > 100% of everyone can do #1, #2 has requirements I can't do #1, Openfire hasn't got support for it :)

  114. Polarian

    so that isn't _everyone_

  115. Menel

    Guide for dummies is: https://certwatch.xmpp.net/ And dnssec should be a config option in the dns hoster.

  116. Menel

    Enter your own domain and it will say what to do

  117. unix.dog

    > so that isn't _everyone_ yeah but you're being pedantic at that point

  118. Polarian searches the meaning of pedantic

  119. Menel

    Use mopars xmpp proxy in front of Openfire then ๐Ÿ˜‰

  120. Polarian

    > Use mopars xmpp proxy in front of Openfire then ๐Ÿ˜‰ no thanks... more point of failures

  121. Polarian

    plus Openfire can cluster ๐Ÿ™ƒ

  122. Menel

    I just wait for Openfire to support it

  123. Polarian

    Indeed

  124. Polarian

    I don't think its a big deal at the moment though...

  125. Guus

    we welcome your PR.

  126. unix.dog

    also the fact that there are registrars that charge you all that fee for basic stuff sucks

  127. moparisthebest

    For #1 for prosody it's just adding a config option https://prosody.im/doc/dnssec#dane

  128. luca

    lol what https://learn.microsoft.com/en-us/azure/dns/dns-faq#does-azure-dns-support-dnssec-

  129. luca

    azure doesn't even support dnssec

  130. Guus

    they're probably also waiting for Openfire to add it.

  131. luca

    Openfire is the cloud and azure is just a plugin

  132. moparisthebest

    For #2 (not specific to prosody, just XMPP in general) https://prosody.im/doc/dns#dane

  133. Polarian

    > we welcome your PR. I was meant to send a patch for spark back in April...

  134. Polarian

    shows how productive I am

  135. Polarian

    > they're probably also waiting for Openfire to add it. _they will be waiting a while_ ๐Ÿ˜‰

  136. Guus

    get on with it then! Microsoft is waiting for you!

  137. Polarian

    > get on with it then! Microsoft is waiting for you! why do I have to? you're the maintainer ๐Ÿ˜ฎโ€๐Ÿ’จ

  138. moparisthebest

    You can always use cloudflare ;)

  139. Polarian

    > You can always use cloudflare ;) don't mention that word again :)

  140. Guus

    > why do I have to? you're the maintainer ๐Ÿ˜ฎโ€๐Ÿ’จ No, Dave is. Even says so on Wikipedia. ๐Ÿ˜‡

  141. Polarian

    >> why do I have to? you're the maintainer ๐Ÿ˜ฎโ€๐Ÿ’จ > No, Dave is. Even says so on Wikipedia. ๐Ÿ˜‡ Dave is around as often as I sent patches :)