XMPP Service Operators - 2025-07-31

>> on spammers: when they jump in, pollute and jump out, admin may not be able to know the jid to block it. >> >> so i wrote this muc jid logger for prosody: https://github.com/norayr/mod_muc_jid_logger > Does this mean that moderators must have access to the prosody daemon's log file to use this? Yes ↺

According to the SRC code :)

does something like this https://blog.cloudflare.com/the-csam-scanning-tool/ exist but an actual tool operators can run on their servers instead of a service from cloudflare?

I just go with "not my problem"

> Today there are startups that are working to build the next Internet giant and compete with Facebook and Google because they can use Cloudflare to be secure, fast, and reliable online. But, as the regulatory hurdles around dealing with incredibly difficult issues like CSAM continue to increase, many of them lack access to sophisticated tools to scan proactively for CSAM. You have to get big to get into the club that gives you access to these tools, and, concerningly, being in the club is increasingly a prerequisite to getting big. To be clear, Cloudflare will be running the CSAM Screening Tool on behalf of the website operator from within our secure points of presence. We will not be distributing the software directly to users. We will remain vigilant for potential attempted abuse of the platform, and will take prompt action as necessary. ✏

cloudflare calling themselves a unfair monopoly and saying that destributing the tool would facilitate a better ecosystem but refusing to do so

sending fuzzyhashes of all the files on my CDN to a big tech monopoly, or worse reverse proxying all my traffic unencrypted through one is not an acceptable proposition and seems to present an undue privacy risk to users. ✏

We don't accept this kind of risk with the use of RTBLs for handling email spam so I fail to see why a similar approach or distributing fuzzy hashes couldn't be applicable to monitoring our http-upload cdn servers for csam abuse. ✏

We don't accept this kind of risk with the use of RTBLs for handling email spam so I fail to see why a similar approach for distributing fuzzy hashes couldn't be applicable to monitoring our http-upload cdn servers for csam abuse. ✏

I am considering upgrading prosody v12->v13 tonight

I am moving from RSA encryption to elliptic curve cryptography

the old keys were 2048 bits in length and I think that keysize has been weak for a while

switchover from RSA-2048 to ECC-256 complete

> I am moving from RSA encryption to elliptic curve cryptography How does this work Tom ↺

What exactly is using RSA

Your SSL certs?

tls encryption

Oh okay

I didn't know that ECC-256 was available from let's encrypt

RSA is an old algo from the 90s we kept increasing the modulous size of to keep it secure

I'm not even sure how to configure my acme client to request 4096 bit size RSA keys

Tom I am familiar with RSA, and how we keep increasing the bit size

PGP also uses RSA

we were supposed to switch to ECC because of this back in the 90s but the NSA probably backdoored DUAL_EC_DRBG so I and many others put off implementing it in favor of increasing to RSA3072

but now with daniel j berstein's work I think we have safe ecc primitives to start using ECC in favor of RSA

A lot of algos are considered unsafe due to relying on the NIST

Ed25519 is safe

> I didn't know that ECC-256 was available from let's encrypt they will if you specificlly ask for it. From E5 instead or R11 ↺

I'm pretty sure

>> I didn't know that ECC-256 was available from let's encrypt > they will if you specificlly ask for it. From E5 instead or R11 What do you mean by E5 and R11? Sorry I'm on my phone and I setup SSL years ago (over half a decade) and forgot about it ↺

> PGP also uses RSA GnuPG implements ECC as well. I've started generating more ecc subkeys to replace my rsa subkeys. However one of these days i'm going to have to replace my root gpg key with something ecc based as well since the whole thing is only as secure as the root of trust ↺

thankfully all those years ago when i made my gpg key I used rsa3000+

How do sub keys work? I'm not super familiar with gpg and only have used it intermittently

> What do you mean by E5 and R11? Sorry I'm on my phone and I setup SSL years ago (over half a decade) and forgot about it look at the chain of certificates on my XMPP server. Let's encrypt RSA chain of trust top is R11 ↺

the current ECC chain of trust is E5

https://letsencrypt.org/certificates/

The other day I generated a 4096 RSA key and enabled all capabilities on it, signing, certify, authentication, and encryption. Is that a bad idea?

yes

if your using lets encrypt, it's only as secure as 2048

Oh wow

I'm not sure how secure EDSA is

I think it relies on the NIST (at least for ssh?)

Unless ed25519 is a variant of EDSA and I just don't realize it

Samson Smith: if your interested in this stuff here is a great read https://blog.cryptographyengineering.com/2015/10/22/a-riddle-wrapped-in-curve/

Thanks tom

Are there providers for free SSL certs other than let's encrypt? It's the only one I know about and what everyone seems to use

I'm partly worried if I change certs from RSA it will break compatibility with a lot of software so it might be a good idea to get both honestly. I'm sure simply using a higher bit size RSA cert would have minimal issues with compatibility

Maybe there is a different provider with at least 3072 sized certs

> Are there providers for free SSL certs other than let's encrypt? It's the only one I know about and what everyone seems to use yes but lets encrypt is hosted by the Electronic Frontier Foundation while others like ZeroSSL don't have quite the reputation ↺

> I'm partly worried if I change certs from RSA it will break compatibility with a lot of software so it might be a good idea to get both honestly. I'm sure simply using a higher bit size RSA cert would have minimal issues with compatibility I think the days of not having ECC compatibility are behind us which is why I switched my certs over just now, but if you'd like I can report back here if there are any interoperability/federation issues from this switchover ↺

>> Are there providers for free SSL certs other than let's encrypt? It's the only one I know about and what everyone seems to use > yes but lets encrypt is hosted by the Electronic Frontier Foundation while others like ZeroSSL don't have quite the reputation I understand I guess I'm stuck with let's encrypt then, especially because I use wildcard certs to make my life easier, I'm sure those cost a fortune elsewhere ↺

>> I'm partly worried if I change certs from RSA it will break compatibility with a lot of software so it might be a good idea to get both honestly. I'm sure simply using a higher bit size RSA cert would have minimal issues with compatibility > I think the days of not having ECC compatibility are behind us which is why I switched my certs over just now, but if you'd like I can report back here if there are any interoperability/federation issues from this switchover That would be nice to know Tom, I think you have my contact as well and we share a few other MUCs you could let me know in any of those places as well ↺

I just know already as it is some programs have issues with certs

just message me here then, I'll probably forget

I had to generate new ones to get everything to work nicely, like I think I generate a different cert from the one let's encrypt gives me for DNS over TLS

Android doesn't like to use the cert they give me directly, I don't remember why

Ecc certs are old by now, I don't know software that doesn't work with it. I'm using Ecc certs since at least 5 years I think. I don't think you'll have to worry. And if something actually breaks you can just switch back

Menel I can also just have both certs as well can't I

Renew both monthly

kalli.st, your cert expired

more spam from jasjsnsnjsjs@c0nnect.de in c-o and biboumi@

probably a target for rtbl?

(not like i'm salty)

also, some are saying this is probably the same group of spammers associated with syn.rip

already added to rtbl

these channels either don't subscribe to it, or it is a different jid

likely

(likely they do not subscribe) ✏

jjsjaksj@c0nnect.de also seems to be a similar spammer

Hmmm seems depeering from c0nnect.de might be wise

Has anyone contacted them yet?

also already added

The whole server?

no the above JID

> Has anyone contacted them yet? I meant contacted the server admins ↺

I will do it then ig

> Has anyone contacted them yet? I have. No response so far.

Unfortunately the servers website is blank. No info about the admin.

I've reached out to the server Hoster / IP owner. Not sure if these are the same guys. Nevertheless, I've filed an Abuse message.

Guus managed to contact them in the past.

> I've reached out to the server Hoster / IP owner. Not sure if these are the same guys. Nevertheless, I've filed an Abuse message. ❤️ ↺

does anyone have experience with ejabberd and know why its beam might end up going berserk at 99% on a CPU, with /var/log/messages filling up with `epmd[96954]: epmd: invalid packet size` messages?

I don't, sorry.

> Guus managed to contact them in the past. I have attempted to contact them, no response yet ↺