XSF Discussion - 2014-02-20

  1. xnyhps

    Their auth is a pile of stuff, including HTTP. Facebook too, btw.

  2. Tobias

    i thought FB was full on the MQTT train now

  3. fippo

    http://xmpp.org/2014/02/second-security-test-day/ <-- I don't get the 12.5% ... it's the percentage of servers that now requires encryption, right?

  4. Ge0rG

    fippo: I would suppose so... even though the wording in the blog post implies traffic, not servers

  5. Simon

    Still getting over the WhatsApp price. (works out at $40/user)

  6. Simon considers selling off users on my family XMPP server.

  7. Laura

    Just wanted to share the meetup link for the London XMPPUK Meetup http://www.meetup.com/XMPP-UK-Meetup/

  8. fippo

    laura: you should prod lloyd about showing webrtcish stuff and invite https://twitter.com/disruptivedean/status/436063951932379136 :-)

  9. Laura

    fippo: Off to prod Lloyd

  10. Kev

    Laura: Thanks. I'd have thought a mail to some lists would probably be appropriate (unless you already have, and I missed it).

  11. Laura

    I am talking to Lloyd about lists to send to. I managed the XMPPUK mailing list, but something tells me Lloys has others!

  12. intosi

    No doubt some lists we don't want to know about ;)

  13. Kev

    Laura: Thanks.

  14. Lloyd

    aslso http://lanyrd.com/2014/xmppuk/

  15. Lloyd

    fippo: I'm probably not going to be able to attend this meetup. Will still be organising with Laura though.

  16. fippo

    lloyd: you don't need to get dean bubley to that particular meetup, just convince him that the xmpp meetup is where the cool webrtc stuff happens in london :-)

  17. Simon

    Get James Body there, and Dean Bubley will be in tow.

  18. Lloyd

    fippo: tweeted him about it. Thanks.

  19. Ge0rG

    are there any known xmpp servers that break if a client does not set the from attribute on outgoing message or presence stanzas?

  20. ralphm

    xnyhps: have you ever looked into cryptocat?

  21. xnyhps

    I've looked over it, yes. Why?

  22. Ge0rG

    it's full of cats

  23. ralphm

    xnyhps: wondering how well it was made, security-wise and overall

  24. Ge0rG

    it's had a bunch of security issues in the past, but the developers promised to do it better

  25. xnyhps

    I only looked at it from the context of iq-spoofing, which they aren't vulnerable to, because they don't send any iqs except for IBR. I did report that the usage of an incrementing counter for iqs leaks information about yourself, and that was promptly fixed.

  26. ralphm

    are they involved with the XSF?

  27. xnyhps

    Don't think so

  28. ralphm

    I noticed they are working on a new protocol for groups, but it doesn't seem based on xmpp

  29. xnyhps

    Groups? You mean encrypted group chat?

  30. Kev

    are there any known xmpp servers that break if a client does not set the from attribute on outgoing message or presence stanzas? Ge0rG @ 10:51 No, and clients should generally not do it, as it adds no value. The server has to overstamp it anyway.

  31. Tobias

    multiparty OTR

  32. xnyhps

    They have an implementation of mpOTR, yes, but even in the OTR community it is still controversial.

  33. Ge0rG

    Kev: I'm currently working on http://issues.igniterealtime.org/browse/SMACK-538 - and I have a report from one person running ancient ejabberd (2.1.5 forked) that forwards presences without adding the from field, making some clients on the other side crash

  34. Kev

    Ge0rG: I wasn't aware that there was ever a server that broken.

  35. Kev

    It's very clear in the RFC that the server has to do this.

  36. Ge0rG

    Kev: me neither. But I need to triangulate that to have a strong argument against adding from=ownJID for conservative compliance reasons.

  37. Kev

    The strong argument is that if you get it slightly wrong, your server will start bouncing your messages, I think.

  38. Ge0rG

    whoops, that was the wrong SMACK issue. http://issues.igniterealtime.org/browse/SMACK-547 is right, sorry

  39. xnyhps

    Hm. It was mentioned in the original Pidgin security issue that started the iq spoofing thing that the 'from' could be spoofed too, but I didn't investigate that.

  40. Kev

    xnyhps: Spoofed in what way, though?

  41. Ge0rG

    Kev: as I read the spec, the server may not bounce if the from field is wrong

  42. xnyhps

    They weren't specific.

  43. Kev

    Servers either reject messages sent from the wrong JID, or overstamp the right one.

  44. xnyhps

    But it was suggested they could override it to anything.

  45. Ge0rG

    Kev: do you know servers that reject?

  46. Ge0rG

    I would assume it is against the spec

  47. Kev


  48. Ge0rG

    Kev: thanks very much

  49. Kev

    (But I agree that just reading implies that you can't bounce a client trying to spoof other addresses)

  50. Ge0rG

    so both behaviors are technically "right"?

  51. Kev

    I think the two bits of the RFC aren't entirely consistent - but yes, I would expect either to be right.

  52. Kev

    If a client starts trying to spoof 'from' addresses, it would seem sensible that a server can start rejecting the stanzas (or balefiring the user), to me.

  53. Ge0rG

    This is sensible indeed. Though it might be just caused by a client failing the IDNA nodeprep of its resource string, or forgetting to add a resource to its JID

  54. Kev

    Which are good reasons for clients not to try to do this themselves, given that servers have to do it form them anyway.

  55. fippo

    lloyd: challenge accepted... :-p

  56. fippo

    seven cameras + four headsets

  57. Lloyd


  58. Ge0rG

    Just got a user request for yaxim: "Please rebrand xmpp instant messaging to 'Xmpp Texting' To help people escape from mobile carrier sms texting extortion"

  59. Ge0rG

    maybe XMPP needs a new fresh look?

  60. Simon

    XMPP Texting, XMPP IoT, XMPP Social, XMPP Video… All ™'d of course.

  61. intosi


  62. intosi

    A real Internet of XMPP, or IoX™

  63. ralphm

    I'm still not sure about using 'XMPP' for branding.

  64. Ge0rG

    ralphm: what else? "Jabber"?

  65. Ge0rG

    intosi: I like that. from ox to yaxs it is merely a small step

  66. ralphm

    Ge0rG: Of course the Jabber trademark has some issues, but it can be licensed through the XSF.

  67. ralphm

    Ge0rG: I personally like it a lot, some in our community don't. I can see that.

  68. Ge0rG

    ralphm: to me, Jabber sounds old and un-snappy. Maybe it is because people often say "do not use that any more, use XMPP instead"

  69. ralphm

    Ge0rG: but there is a reason I had the Jabber bean bag made. As a word, leaving the TM things aside, Jabber is way better for branding than XMPP ever will.

  70. Ge0rG

    ralphm: +1

  71. ralphm

    Ge0rG: yeah, there is a lot of confusion around it

  72. Simon

    Developers seem to talk about XMPP now. This is the discussion on Hackernews about WhatsApp - https://news.ycombinator.com/item?id=7266618 (Jabber: 1 XMPP: lots more)

  73. Ge0rG

    they also talk about threema there. and what not.

  74. Simon googles threema

  75. ralphm

    Simon: yes. Developers is not the target audience for Whatsapp users.

  76. Ge0rG

    ralphm: we could reinforce the "Jabber" term by naming the compliance suite accordingly

  77. Ge0rG

    I wish it were... hundreds of millions of developers all over the world!

  78. ralphm

    XMPP — Jabber is exactly like HTTP — Web

  79. ralphm

    Ge0rG: oh, don't take me wrong, I think it is fine that devs talk about XMPP

  80. ralphm

    Also, the figure of hundreds of millions of developers would mean that roughly 5% of the entire worlds' population is a developer. That seems a bit too much.

  81. Ge0rG

    ralphm: sure. but a compliance badge would be something visible to end-users

  82. Ge0rG

    ralphm: do not stomp onto my dreams!

  83. intosi

    ralphm: but now that there are RasPi's, every kid is a developer again, right?

  84. ralphm

    intosi: do the math

  85. Ge0rG

    with raspis, NAT and owncloud-everything, it is high time to mandate s2s-0198

  86. intosi

    ralphm: nah, it's more fun not doing it and imagining most kids around the world programming and creating stuff.

  87. ralphm

    there are roughly 2 million Pis sold in total

  88. intosi

    ralphm: don't spoil my dream with proper facts and reason, please ;)

  89. ralphm


  90. ralphm

    sure is busy today

  91. Tobias

    The site's security certificate is not trusted! :D

  92. ralphm

    Tobias: I trust it

  93. ralphm

    so that's false

  94. Tobias

    honest achmet trusts it too, i suppose

  95. ralphm

    Tobias: I suppose the question is, who do you trust (more): me or a random list of CAs?

  96. Zash

    ralphm: Get you some DNSEC & DANE :)

  97. Tobias

    surely the random list of CAs.... :)

  98. Kev

    ralphm: How can we trust that the list of CA's is cryptographically random?

  99. Kev


  100. Tobias

    Key Chain lists them in a rather sorted, not random fashion

  101. intosi

    I trust that cert, but that might be because I also generated the key ;)

  102. Tobias

    intosi, are you sure it's the same key it was when you've generated it? :)

  103. intosi

    Tobias: fairly sure, yes.

  104. ralphm

    Kev: point.

  105. dwd

    Since the BBC has declared WhatsApp as an "incredibly useful" massaging service, should we ensure that everyone knows XMPP is a fully federated massaging service?

  106. Lloyd

    I think there might be a link between WhatsApp and XMPP too

  107. dwd

    Right, WhatsApp being like XMPP except less secure and generally screwed up.

  108. Zash

    "If you think WhatsApp is good, wait till you see a Proper XMPP Client"

  109. Lloyd

    None of the advantages and more of the mistakes

  110. Zash

    whenever that happens

  111. Lloyd

    We need to get Laura to spam all the blog posts / news stories with XMPP-aganda

  112. Ge0rG

    a massaging service is something I could need right now

  113. Ge0rG

    hey dwd, you wanted to do some major yaxim rebasing! :D

  114. intosi

    WhatsApp is to XMPP what fish fingers are to actual fish.

  115. fippo

    intonsi: tweet that!

  116. intosi

    Will do :)

  117. Ge0rG

    is the bad quality of fish fingers a widely-accepted fact among the tech community?

  118. ralphm

    Zash: I'm so good at waiting. Please make it happen.

  119. intosi


  120. intosi

    In any case it's fish morphed beyond recognition.

  121. Zash

    oh lawd https://raw.github.com/github/dmca/master/2014-02-12-WhatsApp.md

  122. ralphm

    intosi: WhatsApp is to XMPP what Chicken McNuggets™ are to chicken?

  123. intosi

    Same thing, really.

  124. ralphm

    I see a meme coming

  125. intosi

    Cut it up, batter it, deep fry, …, profit.

  126. intosi

    Where … probably is "let CMOT Dibbler convince people it's as good as saussage-in-a-bun"

  127. Zash

    Deep-fried XMPP

  128. Zash


  129. ralphm

    intosi: if it was only cut/batter/deep fry, it wouldn't be so bad

  130. ralphm

    in fact, I'd love using such a client

  131. intosi

    Call it Kibbeling.

  132. ralphm


  133. ralphm

    that's so cool on so many levels

  134. intosi


  135. intosi

    I know.

  136. ralphm

    For those that aren't Dutch speakers:

  137. ralphm

    Kibbeling is battered cob, but also the verb for, well, petty arguing

  138. Zash


  139. Kev

    Looking at the IETF89 mail, there's no Early-Bird for Day passes, is that right?

  140. ralphm

    Kev: I don't think so

  141. Kev

    You don't think it's right, or you don't think there's an early-bird for day passes?

  142. ralphm

    Of course Jabber is also etymologically dutch

  143. Kev

    But we don't hold that against it :)

  144. ralphm

    intosi: please make a great mobile client named Kibbeling

  145. dwd

    Kev, Are you an ISOC member?

  146. Kev

    I am not.

  147. dwd

    Kev, You could join ISOC, and the England Chapter (there's no Wales), and then turn up on Tuesday for free. :-)

  148. Kev

    Oh. That sounds like a cunning wheeze. ISOC member get free day passes, or ... ?

  149. dwd

    On Tuesday.

  150. Kev

    If only it was a day that's more useful to me...wait, no.

  151. fippo

    https://code.google.com/p/webrtc/issues/detail?id=2923#c3 -- i'm wondering if that makes me sad... but then, i don't think anyone every liked libjingle

  152. Kev

    Not the XMPP bits, I think.

  153. Kev

    I think lots of people like the bits that're going into webrtc.

  154. Kev

    I really do need to sort out webrtc/Jingle in Swift.

  155. waqas

    Did we have any jingle-webrtc spec yet?

  156. fippo

    waqas: we have all the bits required for voice/video. but the sdp mapping is in several specs

  157. waqas

    So if an XMPP client author wants to interop with other clients, what should they look at? Is other clients' code the best thing at the moment?

  158. fippo

    waqas: test with swift?

  159. waqas

    Kev just said that still needs sorting out

  160. fippo

    oh, webrtc related?

  161. waqas


  162. fippo

    https://github.com/legastero/jingle-interop-demos then -- the strophe is currently my preferred one

  163. fippo

    that will change next month though

  164. waqas


  165. waqas

    You will have your own next month?

  166. fippo

    nah, i'll steal stanzas jingle module from lance then

  167. fippo

    it looks like I need to update the interop demo thing to the proper 0338/0339 support though

  168. waqas

    Is there anything special these clients expect from the server? Jingle Relay Nodes support or anything like that?

  169. fippo

    mod_turncredentials is nice but for localhost-test or in the same network things should just work

  170. ralphm

    xnyhps: https://twitter.com/booleanvalue/status/436637700280422400

  171. ralphm

    It is interesting to read that people only now are starting to discover that Whatsapp is based on XMPP. And even though we might feel they messed it up royally, there are things to learn for us.

  172. stpeter

    ralphm: certainly

  173. ralphm

    I'd love seeing a mostly exact clone of whatsapp using standard XMPP protocols. I.e. similar easy of set up, identical feature set (not more), similar UI features. But federated. I'm not sure yet how to do some things (like magically having all your friends there if they also run the same app), though. Would be good to do that exercise.

  174. fippo

    ralphm: get enough VC...

  175. ralphm

    fippo: heh. well, at least maybe we could think about the feature set and if we can do that with existing protocol

  176. ralphm

    fippo: and figuring out contacts in federation context seems hard. In the centralized case, you can simply look up phone numbers.

  177. Zash

    Didn't someone do some research into privacy-aware "magically haivng all your friends there"

  178. ralphm

    I think I am bit worked up on all the myths around XMPP.

  179. ralphm

    Zash: I'd love to read papers on tht

  180. ralphm


  181. Zash