xnyhpsTheir auth is a pile of stuff, including HTTP. Facebook too, btw.
Tobiasi thought FB was full on the MQTT train now
Link Mauvehas joined
fippohttp://xmpp.org/2014/02/second-security-test-day/ <-- I don't get the 12.5% ... it's the percentage of servers that now requires encryption, right?
Link Mauvehas joined
Ge0rGfippo: I would suppose so... even though the wording in the blog post implies traffic, not servers
SimonStill getting over the WhatsApp price. (works out at $40/user)
Simonconsiders selling off users on my family XMPP server.
LauraJust wanted to share the meetup link for the London XMPPUK Meetup http://www.meetup.com/XMPP-UK-Meetup/
fippolaura: you should prod lloyd about showing webrtcish stuff and invite https://twitter.com/disruptivedean/status/436063951932379136 :-)
Laurafippo: Off to prod Lloyd
KevLaura: Thanks. I'd have thought a mail to some lists would probably be appropriate (unless you already have, and I missed it).
LauraI am talking to Lloyd about lists to send to. I managed the XMPPUK mailing list, but something tells me Lloys has others!
intosiNo doubt some lists we don't want to know about ;)
Lloydfippo: I'm probably not going to be able to attend this meetup. Will still be organising with Laura though.
fippolloyd: you don't need to get dean bubley to that particular meetup, just convince him that the xmpp meetup is where the cool webrtc stuff happens in london :-)
SimonGet James Body there, and Dean Bubley will be in tow.
Lloydfippo: tweeted him about it. Thanks.
Ge0rGare there any known xmpp servers that break if a client does not set the from attribute on outgoing message or presence stanzas?
ralphmxnyhps: have you ever looked into cryptocat?
xnyhpsI've looked over it, yes. Why?
Ge0rGit's full of cats
ralphmxnyhps: wondering how well it was made, security-wise and overall
Ge0rGit's had a bunch of security issues in the past, but the developers promised to do it better
xnyhpsI only looked at it from the context of iq-spoofing, which they aren't vulnerable to, because they don't send any iqs except for IBR. I did report that the usage of an incrementing counter for iqs leaks information about yourself, and that was promptly fixed.
ralphmare they involved with the XSF?
xnyhpsDon't think so
ralphmI noticed they are working on a new protocol for groups, but it doesn't seem based on xmpp
xnyhpsGroups? You mean encrypted group chat?
Kevare there any known xmpp servers that break if a client does not set the from attribute on outgoing message or presence stanzas? Ge0rG @ 10:51
No, and clients should generally not do it, as it adds no value. The server has to overstamp it anyway.
xnyhpsThey have an implementation of mpOTR, yes, but even in the OTR community it is still controversial.
Ge0rGKev: I'm currently working on http://issues.igniterealtime.org/browse/SMACK-538 - and I have a report from one person running ancient ejabberd (2.1.5 forked) that forwards presences without adding the from field, making some clients on the other side crash
KevGe0rG: I wasn't aware that there was ever a server that broken.
KevIt's very clear in the RFC that the server has to do this.
Ge0rGKev: me neither. But I need to triangulate that to have a strong argument against adding from=ownJID for conservative compliance reasons.
KevThe strong argument is that if you get it slightly wrong, your server will start bouncing your messages, I think.
Ge0rGwhoops, that was the wrong SMACK issue. http://issues.igniterealtime.org/browse/SMACK-547 is right, sorry
xnyhpsHm. It was mentioned in the original Pidgin security issue that started the iq spoofing thing that the 'from' could be spoofed too, but I didn't investigate that.
Kevxnyhps: Spoofed in what way, though?
Ge0rGKev: as I read the spec, the server may not bounce if the from field is wrong
xnyhpsThey weren't specific.
KevServers either reject messages sent from the wrong JID, or overstamp the right one.
xnyhpsBut it was suggested they could override it to anything.
ralphmIt is interesting to read that people only now are starting to discover that Whatsapp is based on XMPP. And even though we might feel they messed it up royally, there are things to learn for us.
ralphmI'd love seeing a mostly exact clone of whatsapp using standard XMPP protocols. I.e. similar easy of set up, identical feature set (not more), similar UI features. But federated. I'm not sure yet how to do some things (like magically having all your friends there if they also run the same app), though. Would be good to do that exercise.
fipporalphm: get enough VC...
ralphmfippo: heh. well, at least maybe we could think about the feature set and if we can do that with existing protocol
ralphmfippo: and figuring out contacts in federation context seems hard. In the centralized case, you can simply look up phone numbers.
ZashDidn't someone do some research into privacy-aware "magically haivng all your friends there"
ralphmI think I am bit worked up on all the myths around XMPP.