XSF Discussion - 2014-02-20

  1. xnyhps Their auth is a pile of stuff, including HTTP. Facebook too, btw.
  2. Tobias i thought FB was full on the MQTT train now
  3. waqas has left
  4. Jef has left
  5. Link Mauve has joined
  6. waqas has joined
  7. Neustradamus has left
  8. Neustradamus has joined
  9. Lance has joined
  10. Neustradamus has left
  11. Santiago26 has left
  12. Lance has joined
  13. Neustradamus has joined
  14. jabberjocke has left
  15. Lance has joined
  16. Tobias has left
  17. waqas has left
  18. Lance has joined
  19. emcho has left
  20. waqas has joined
  21. Lance has joined
  22. Lance has joined
  23. Lance has left
  24. stpeter has left
  25. Tobias has left
  26. Lance has joined
  27. Lance has left
  28. waqas has left
  29. Lance has joined
  30. Lance has left
  31. fippo http://xmpp.org/2014/02/second-security-test-day/ <-- I don't get the 12.5% ... it's the percentage of servers that now requires encryption, right?
  32. Simon has joined
  33. emcho has joined
  34. emcho has left
  35. emcho has joined
  36. emcho has left
  37. Link Mauve has joined
  38. emcho has joined
  39. Lance has joined
  40. Alex has joined
  41. emcho has left
  42. emcho has joined
  43. Ge0rG fippo: I would suppose so... even though the wording in the blog post implies traffic, not servers
  44. Lance has joined
  45. Simon Still getting over the WhatsApp price. (works out at $40/user)
  46. Laura has joined
  47. Simon considers selling off users on my family XMPP server.
  48. Jef has joined
  49. Laura Just wanted to share the meetup link for the London XMPPUK Meetup http://www.meetup.com/XMPP-UK-Meetup/
  50. fippo laura: you should prod lloyd about showing webrtcish stuff and invite https://twitter.com/disruptivedean/status/436063951932379136 :-)
  51. Laura fippo: Off to prod Lloyd
  52. Kev Laura: Thanks. I'd have thought a mail to some lists would probably be appropriate (unless you already have, and I missed it).
  53. Zash has joined
  54. Laura I am talking to Lloyd about lists to send to. I managed the XMPPUK mailing list, but something tells me Lloys has others!
  55. intosi No doubt some lists we don't want to know about ;)
  56. Lloyd has joined
  57. Kev Laura: Thanks.
  58. Lloyd aslso http://lanyrd.com/2014/xmppuk/
  59. Lloyd fippo: I'm probably not going to be able to attend this meetup. Will still be organising with Laura though.
  60. Jef has left
  61. fippo lloyd: you don't need to get dean bubley to that particular meetup, just convince him that the xmpp meetup is where the cool webrtc stuff happens in london :-)
  62. Simon Get James Body there, and Dean Bubley will be in tow.
  63. Lloyd fippo: tweeted him about it. Thanks.
  64. Ge0rG are there any known xmpp servers that break if a client does not set the from attribute on outgoing message or presence stanzas?
  65. ralphm xnyhps: have you ever looked into cryptocat?
  66. xnyhps I've looked over it, yes. Why?
  67. Ge0rG it's full of cats
  68. ralphm xnyhps: wondering how well it was made, security-wise and overall
  69. Ge0rG it's had a bunch of security issues in the past, but the developers promised to do it better
  70. xnyhps I only looked at it from the context of iq-spoofing, which they aren't vulnerable to, because they don't send any iqs except for IBR. I did report that the usage of an incrementing counter for iqs leaks information about yourself, and that was promptly fixed.
  71. ralphm are they involved with the XSF?
  72. xnyhps Don't think so
  73. ralphm I noticed they are working on a new protocol for groups, but it doesn't seem based on xmpp
  74. xnyhps Groups? You mean encrypted group chat?
  75. Kev are there any known xmpp servers that break if a client does not set the from attribute on outgoing message or presence stanzas? Ge0rG @ 10:51 No, and clients should generally not do it, as it adds no value. The server has to overstamp it anyway.
  76. Tobias multiparty OTR
  77. xnyhps They have an implementation of mpOTR, yes, but even in the OTR community it is still controversial.
  78. Ge0rG Kev: I'm currently working on http://issues.igniterealtime.org/browse/SMACK-538 - and I have a report from one person running ancient ejabberd (2.1.5 forked) that forwards presences without adding the from field, making some clients on the other side crash
  79. Kev Ge0rG: I wasn't aware that there was ever a server that broken.
  80. Kev It's very clear in the RFC that the server has to do this.
  81. Ge0rG Kev: me neither. But I need to triangulate that to have a strong argument against adding from=ownJID for conservative compliance reasons.
  82. Kev The strong argument is that if you get it slightly wrong, your server will start bouncing your messages, I think.
  83. Ge0rG whoops, that was the wrong SMACK issue. http://issues.igniterealtime.org/browse/SMACK-547 is right, sorry
  84. xnyhps Hm. It was mentioned in the original Pidgin security issue that started the iq spoofing thing that the 'from' could be spoofed too, but I didn't investigate that.
  85. Kev xnyhps: Spoofed in what way, though?
  86. Ge0rG Kev: as I read the spec, the server may not bounce if the from field is wrong
  87. xnyhps They weren't specific.
  88. Kev Servers either reject messages sent from the wrong JID, or overstamp the right one.
  89. xnyhps But it was suggested they could override it to anything.
  90. Ge0rG Kev: do you know servers that reject?
  91. Ge0rG I would assume it is against the spec
  92. Kev https://tools.ietf.org/html/rfc6120#section-
  93. Ge0rG Kev: thanks very much
  94. Kev (But I agree that just reading implies that you can't bounce a client trying to spoof other addresses)
  95. Ge0rG so both behaviors are technically "right"?
  96. Kev I think the two bits of the RFC aren't entirely consistent - but yes, I would expect either to be right.
  97. Kev If a client starts trying to spoof 'from' addresses, it would seem sensible that a server can start rejecting the stanzas (or balefiring the user), to me.
  98. Ge0rG This is sensible indeed. Though it might be just caused by a client failing the IDNA nodeprep of its resource string, or forgetting to add a resource to its JID
  99. Kev Which are good reasons for clients not to try to do this themselves, given that servers have to do it form them anyway.
  100. Tobias has joined
  101. emcho has left
  102. emcho has joined
  103. emcho has left
  104. Lance has joined
  105. fippo lloyd: challenge accepted... :-p
  106. fippo seven cameras + four headsets
  107. Lloyd :)
  108. Jef has joined
  109. Tobias has joined
  110. Tobias has left
  111. Tobias has joined
  112. Ge0rG Just got a user request for yaxim: "Please rebrand xmpp instant messaging to 'Xmpp Texting' To help people escape from mobile carrier sms texting extortion"
  113. Ge0rG maybe XMPP needs a new fresh look?
  114. Zash has joined
  115. Simon XMPP Texting, XMPP IoT, XMPP Social, XMPP Video… All ™'d of course.
  116. Simon has left
  117. Simon has joined
  118. intosi Naturally.
  119. intosi A real Internet of XMPP, or IoX™
  120. ralphm I'm still not sure about using 'XMPP' for branding.
  121. Ge0rG ralphm: what else? "Jabber"?
  122. Ge0rG intosi: I like that. from ox to yaxs it is merely a small step
  123. waqas has joined
  124. ralphm Ge0rG: Of course the Jabber trademark has some issues, but it can be licensed through the XSF.
  125. ralphm Ge0rG: I personally like it a lot, some in our community don't. I can see that.
  126. Zash has joined
  127. Ge0rG ralphm: to me, Jabber sounds old and un-snappy. Maybe it is because people often say "do not use that any more, use XMPP instead"
  128. ralphm Ge0rG: but there is a reason I had the Jabber bean bag made. As a word, leaving the TM things aside, Jabber is way better for branding than XMPP ever will.
  129. Ge0rG ralphm: +1
  130. ralphm Ge0rG: yeah, there is a lot of confusion around it
  131. Simon Developers seem to talk about XMPP now. This is the discussion on Hackernews about WhatsApp - https://news.ycombinator.com/item?id=7266618 (Jabber: 1 XMPP: lots more)
  132. Ge0rG they also talk about threema there. and what not.
  133. Simon googles threema
  134. ralphm Simon: yes. Developers is not the target audience for Whatsapp users.
  135. Ge0rG ralphm: we could reinforce the "Jabber" term by naming the compliance suite accordingly
  136. Ge0rG I wish it were... hundreds of millions of developers all over the world!
  137. ralphm XMPP — Jabber is exactly like HTTP — Web
  138. ralphm Ge0rG: oh, don't take me wrong, I think it is fine that devs talk about XMPP
  139. ralphm Also, the figure of hundreds of millions of developers would mean that roughly 5% of the entire worlds' population is a developer. That seems a bit too much.
  140. Ge0rG ralphm: sure. but a compliance badge would be something visible to end-users
  141. Ge0rG ralphm: do not stomp onto my dreams!
  142. intosi ralphm: but now that there are RasPi's, every kid is a developer again, right?
  143. ralphm intosi: do the math
  144. Ge0rG with raspis, NAT and owncloud-everything, it is high time to mandate s2s-0198
  145. intosi ralphm: nah, it's more fun not doing it and imagining most kids around the world programming and creating stuff.
  146. ralphm there are roughly 2 million Pis sold in total
  147. intosi ralphm: don't spoil my dream with proper facts and reason, please ;)
  148. Lance has joined
  149. emcho has joined
  150. Lance has joined
  151. Maranda has joined
  152. Simon has left
  153. bear has joined
  154. Simon has joined
  155. ralphm https://display.ik.nu/xmpp?max_items=20
  156. ralphm sure is busy today
  157. Tobias The site's security certificate is not trusted! :D
  158. ralphm Tobias: I trust it
  159. ralphm so that's false
  160. Tobias honest achmet trusts it too, i suppose
  161. ralphm Tobias: I suppose the question is, who do you trust (more): me or a random list of CAs?
  162. Zash ralphm: Get you some DNSEC & DANE :)
  163. Tobias surely the random list of CAs.... :)
  164. Kev ralphm: How can we trust that the list of CA's is cryptographically random?
  165. Kev -'
  166. Tobias Key Chain lists them in a rather sorted, not random fashion
  167. intosi I trust that cert, but that might be because I also generated the key ;)
  168. Tobias intosi, are you sure it's the same key it was when you've generated it? :)
  169. Simon has left
  170. intosi Tobias: fairly sure, yes.
  171. bear has left
  172. waqas has left
  173. emcho has left
  174. emcho has joined
  175. ralphm Kev: point.
  176. Lance has joined
  177. waqas has joined
  178. m&m has joined
  179. waqas has left
  180. Lance has joined
  181. Zash has left
  182. Maranda has left
  183. emcho has left
  184. emcho has joined
  185. waqas has joined
  186. Zash has joined
  187. dwd Since the BBC has declared WhatsApp as an "incredibly useful" massaging service, should we ensure that everyone knows XMPP is a fully federated massaging service?
  188. Lloyd I think there might be a link between WhatsApp and XMPP too
  189. dwd Right, WhatsApp being like XMPP except less secure and generally screwed up.
  190. Zash "If you think WhatsApp is good, wait till you see a Proper XMPP Client"
  191. Lloyd None of the advantages and more of the mistakes
  192. Zash whenever that happens
  193. Lloyd We need to get Laura to spam all the blog posts / news stories with XMPP-aganda
  194. Ge0rG a massaging service is something I could need right now
  195. Ge0rG hey dwd, you wanted to do some major yaxim rebasing! :D
  196. intosi WhatsApp is to XMPP what fish fingers are to actual fish.
  197. fippo intonsi: tweet that!
  198. intosi Will do :)
  199. Ge0rG is the bad quality of fish fingers a widely-accepted fact among the tech community?
  200. ralphm Zash: I'm so good at waiting. Please make it happen.
  201. intosi https://twitter.com/EdwinMons/status/436533610666270720
  202. intosi In any case it's fish morphed beyond recognition.
  203. Zash oh lawd https://raw.github.com/github/dmca/master/2014-02-12-WhatsApp.md
  204. ralphm intosi: WhatsApp is to XMPP what Chicken McNuggets™ are to chicken?
  205. intosi Same thing, really.
  206. ralphm I see a meme coming
  207. intosi Cut it up, batter it, deep fry, …, profit.
  208. intosi Where … probably is "let CMOT Dibbler convince people it's as good as saussage-in-a-bun"
  209. Zash Deep-fried XMPP
  210. Zash wut
  211. ralphm intosi: if it was only cut/batter/deep fry, it wouldn't be so bad
  212. ralphm in fact, I'd love using such a client
  213. intosi Call it Kibbeling.
  214. ralphm WOAH
  215. ralphm that's so cool on so many levels
  216. intosi :)
  217. intosi I know.
  218. ralphm For those that aren't Dutch speakers:
  219. ralphm Kibbeling is battered cob, but also the verb for, well, petty arguing
  220. Zash :D
  221. Kev Looking at the IETF89 mail, there's no Early-Bird for Day passes, is that right?
  222. emcho has left
  223. ralphm Kev: I don't think so
  224. Kev You don't think it's right, or you don't think there's an early-bird for day passes?
  225. ralphm Of course Jabber is also etymologically dutch
  226. Kev But we don't hold that against it :)
  227. emcho has joined
  228. ralphm intosi: please make a great mobile client named Kibbeling
  229. dwd Kev, Are you an ISOC member?
  230. Kev I am not.
  231. dwd Kev, You could join ISOC, and the England Chapter (there's no Wales), and then turn up on Tuesday for free. :-)
  232. Kev Oh. That sounds like a cunning wheeze. ISOC member get free day passes, or ... ?
  233. dwd On Tuesday.
  234. Kev If only it was a day that's more useful to me...wait, no.
  235. stpeter has joined
  236. Lance has joined
  237. Maranda has joined
  238. dezant has joined
  239. m&m has left
  240. m&m has joined
  241. Lance has joined
  242. Tobias has left
  243. m&m has left
  244. m&m has joined
  245. m&m has left
  246. m&m has joined
  247. fsteinel has joined
  248. emcho has left
  249. Emil Ivov has joined
  250. fsteinel has left
  251. Lance has joined
  252. Laura has left
  253. Lance has joined
  254. ralphm has left
  255. Tobias has joined
  256. Lance has joined
  257. Lance has left
  258. Emil Ivov has left
  259. Tobias has left
  260. Tobias has joined
  261. joakim eriksson has joined
  262. Maranda has left
  263. joakim eriksson has left
  264. m&m has left
  265. emcho has joined
  266. bear has joined
  267. Santiago26 has joined
  268. waqas has left
  269. waqas has joined
  270. jabberjocke has joined
  271. Santiago26 has left
  272. emcho has left
  273. emcho has joined
  274. fippo https://code.google.com/p/webrtc/issues/detail?id=2923#c3 -- i'm wondering if that makes me sad... but then, i don't think anyone every liked libjingle
  275. Kev Not the XMPP bits, I think.
  276. Kev I think lots of people like the bits that're going into webrtc.
  277. Kev I really do need to sort out webrtc/Jingle in Swift.
  278. waqas Did we have any jingle-webrtc spec yet?
  279. emcho has left
  280. fippo waqas: we have all the bits required for voice/video. but the sdp mapping is in several specs
  281. Emil Ivov has joined
  282. waqas So if an XMPP client author wants to interop with other clients, what should they look at? Is other clients' code the best thing at the moment?
  283. fippo waqas: test with swift?
  284. waqas Kev just said that still needs sorting out
  285. fippo oh, webrtc related?
  286. waqas Yes
  287. fippo https://github.com/legastero/jingle-interop-demos then -- the strophe is currently my preferred one
  288. fippo that will change next month though
  289. waqas Thanks
  290. waqas You will have your own next month?
  291. fippo nah, i'll steal stanzas jingle module from lance then
  292. fippo it looks like I need to update the interop demo thing to the proper 0338/0339 support though
  293. waqas Is there anything special these clients expect from the server? Jingle Relay Nodes support or anything like that?
  294. fippo mod_turncredentials is nice but for localhost-test or in the same network things should just work
  295. Lloyd has left
  296. Alex has left
  297. stpeter has left
  298. Emil Ivov has left
  299. emcho has joined
  300. emcho has left
  301. emcho has joined
  302. stpeter has joined
  303. ralphm xnyhps: https://twitter.com/booleanvalue/status/436637700280422400
  304. ralphm It is interesting to read that people only now are starting to discover that Whatsapp is based on XMPP. And even though we might feel they messed it up royally, there are things to learn for us.
  305. stpeter ralphm: certainly
  306. ralphm I'd love seeing a mostly exact clone of whatsapp using standard XMPP protocols. I.e. similar easy of set up, identical feature set (not more), similar UI features. But federated. I'm not sure yet how to do some things (like magically having all your friends there if they also run the same app), though. Would be good to do that exercise.
  307. Maranda has joined
  308. fippo ralphm: get enough VC...
  309. ralphm fippo: heh. well, at least maybe we could think about the feature set and if we can do that with existing protocol
  310. ralphm fippo: and figuring out contacts in federation context seems hard. In the centralized case, you can simply look up phone numbers.
  311. Zash Didn't someone do some research into privacy-aware "magically haivng all your friends there"
  312. ralphm I think I am bit worked up on all the myths around XMPP.
  313. ralphm Zash: I'd love to read papers on tht
  314. ralphm that
  315. Zash http://mail.jabber.org/pipermail/standards/2013-February/027060.html