XSF Discussion - 2014-02-20

Their auth is a pile of stuff, including HTTP. Facebook too, btw.

i thought FB was full on the MQTT train now

http://xmpp.org/2014/02/second-security-test-day/ <-- I don't get the 12.5% ... it's the percentage of servers that now requires encryption, right?

fippo: I would suppose so... even though the wording in the blog post implies traffic, not servers

Still getting over the WhatsApp price. (works out at $40/user)

Just wanted to share the meetup link for the London XMPPUK Meetup http://www.meetup.com/XMPP-UK-Meetup/

laura: you should prod lloyd about showing webrtcish stuff and invite https://twitter.com/disruptivedean/status/436063951932379136 :-)

fippo: Off to prod Lloyd

Laura: Thanks. I'd have thought a mail to some lists would probably be appropriate (unless you already have, and I missed it).

I am talking to Lloyd about lists to send to. I managed the XMPPUK mailing list, but something tells me Lloys has others!

No doubt some lists we don't want to know about ;)

Laura: Thanks.

aslso http://lanyrd.com/2014/xmppuk/

fippo: I'm probably not going to be able to attend this meetup. Will still be organising with Laura though.

lloyd: you don't need to get dean bubley to that particular meetup, just convince him that the xmpp meetup is where the cool webrtc stuff happens in london :-)

Get James Body there, and Dean Bubley will be in tow.

fippo: tweeted him about it. Thanks.

are there any known xmpp servers that break if a client does not set the from attribute on outgoing message or presence stanzas?

xnyhps: have you ever looked into cryptocat?

I've looked over it, yes. Why?

it's full of cats

xnyhps: wondering how well it was made, security-wise and overall

it's had a bunch of security issues in the past, but the developers promised to do it better

I only looked at it from the context of iq-spoofing, which they aren't vulnerable to, because they don't send any iqs except for IBR. I did report that the usage of an incrementing counter for iqs leaks information about yourself, and that was promptly fixed.

are they involved with the XSF?

Don't think so

I noticed they are working on a new protocol for groups, but it doesn't seem based on xmpp

Groups? You mean encrypted group chat?

are there any known xmpp servers that break if a client does not set the from attribute on outgoing message or presence stanzas? Ge0rG @ 10:51 No, and clients should generally not do it, as it adds no value. The server has to overstamp it anyway.

multiparty OTR

They have an implementation of mpOTR, yes, but even in the OTR community it is still controversial.

Kev: I'm currently working on http://issues.igniterealtime.org/browse/SMACK-538 - and I have a report from one person running ancient ejabberd (2.1.5 forked) that forwards presences without adding the from field, making some clients on the other side crash

Ge0rG: I wasn't aware that there was ever a server that broken.

It's very clear in the RFC that the server has to do this.

Kev: me neither. But I need to triangulate that to have a strong argument against adding from=ownJID for conservative compliance reasons.

The strong argument is that if you get it slightly wrong, your server will start bouncing your messages, I think.

whoops, that was the wrong SMACK issue. http://issues.igniterealtime.org/browse/SMACK-547 is right, sorry

Hm. It was mentioned in the original Pidgin security issue that started the iq spoofing thing that the 'from' could be spoofed too, but I didn't investigate that.

xnyhps: Spoofed in what way, though?

Kev: as I read the spec, the server may not bounce if the from field is wrong

They weren't specific.

Servers either reject messages sent from the wrong JID, or overstamp the right one.

But it was suggested they could override it to anything.

Kev: do you know servers that reject?

I would assume it is against the spec

https://tools.ietf.org/html/rfc6120#section-4.9.3.9

Kev: thanks very much

(But I agree that just reading 8.1.2.1 implies that you can't bounce a client trying to spoof other addresses)

so both behaviors are technically "right"?

I think the two bits of the RFC aren't entirely consistent - but yes, I would expect either to be right.

If a client starts trying to spoof 'from' addresses, it would seem sensible that a server can start rejecting the stanzas (or balefiring the user), to me.

This is sensible indeed. Though it might be just caused by a client failing the IDNA nodeprep of its resource string, or forgetting to add a resource to its JID

Which are good reasons for clients not to try to do this themselves, given that servers have to do it form them anyway.

lloyd: challenge accepted... :-p

seven cameras + four headsets

:)

Just got a user request for yaxim: "Please rebrand xmpp instant messaging to 'Xmpp Texting' To help people escape from mobile carrier sms texting extortion"

maybe XMPP needs a new fresh look?

XMPP Texting, XMPP IoT, XMPP Social, XMPP Video… All ™'d of course.

Naturally.

A real Internet of XMPP, or IoX™

I'm still not sure about using 'XMPP' for branding.

ralphm: what else? "Jabber"?

intosi: I like that. from ox to yaxs it is merely a small step

Ge0rG: Of course the Jabber trademark has some issues, but it can be licensed through the XSF.

Ge0rG: I personally like it a lot, some in our community don't. I can see that.

ralphm: to me, Jabber sounds old and un-snappy. Maybe it is because people often say "do not use that any more, use XMPP instead"

Ge0rG: but there is a reason I had the Jabber bean bag made. As a word, leaving the TM things aside, Jabber is way better for branding than XMPP ever will.

ralphm: +1

Ge0rG: yeah, there is a lot of confusion around it

Developers seem to talk about XMPP now. This is the discussion on Hackernews about WhatsApp - https://news.ycombinator.com/item?id=7266618 (Jabber: 1 XMPP: lots more)

they also talk about threema there. and what not.

Simon: yes. Developers is not the target audience for Whatsapp users.

ralphm: we could reinforce the "Jabber" term by naming the compliance suite accordingly

I wish it were... hundreds of millions of developers all over the world!

XMPP — Jabber is exactly like HTTP — Web

Ge0rG: oh, don't take me wrong, I think it is fine that devs talk about XMPP

Also, the figure of hundreds of millions of developers would mean that roughly 5% of the entire worlds' population is a developer. That seems a bit too much.

ralphm: sure. but a compliance badge would be something visible to end-users

ralphm: do not stomp onto my dreams!

ralphm: but now that there are RasPi's, every kid is a developer again, right?

intosi: do the math

with raspis, NAT and owncloud-everything, it is high time to mandate s2s-0198

ralphm: nah, it's more fun not doing it and imagining most kids around the world programming and creating stuff.

there are roughly 2 million Pis sold in total

ralphm: don't spoil my dream with proper facts and reason, please ;)

https://display.ik.nu/xmpp?max_items=20

sure is busy today

The site's security certificate is not trusted! :D

Tobias: I trust it

so that's false

honest achmet trusts it too, i suppose

Tobias: I suppose the question is, who do you trust (more): me or a random list of CAs?

ralphm: Get you some DNSEC & DANE :)

surely the random list of CAs.... :)

ralphm: How can we trust that the list of CA's is cryptographically random?

-'

Key Chain lists them in a rather sorted, not random fashion

I trust that cert, but that might be because I also generated the key ;)

intosi, are you sure it's the same key it was when you've generated it? :)

Tobias: fairly sure, yes.

Kev: point.

Since the BBC has declared WhatsApp as an "incredibly useful" massaging service, should we ensure that everyone knows XMPP is a fully federated massaging service?

I think there might be a link between WhatsApp and XMPP too

Right, WhatsApp being like XMPP except less secure and generally screwed up.

"If you think WhatsApp is good, wait till you see a Proper XMPP Client"

None of the advantages and more of the mistakes

whenever that happens

We need to get Laura to spam all the blog posts / news stories with XMPP-aganda

a massaging service is something I could need right now

hey dwd, you wanted to do some major yaxim rebasing! :D

WhatsApp is to XMPP what fish fingers are to actual fish.

intonsi: tweet that!

Will do :)

is the bad quality of fish fingers a widely-accepted fact among the tech community?

Zash: I'm so good at waiting. Please make it happen.

https://twitter.com/EdwinMons/status/436533610666270720

In any case it's fish morphed beyond recognition.

oh lawd https://raw.github.com/github/dmca/master/2014-02-12-WhatsApp.md

intosi: WhatsApp is to XMPP what Chicken McNuggets™ are to chicken?

Same thing, really.

I see a meme coming

Cut it up, batter it, deep fry, …, profit.

Where … probably is "let CMOT Dibbler convince people it's as good as saussage-in-a-bun"

Deep-fried XMPP

wut

intosi: if it was only cut/batter/deep fry, it wouldn't be so bad

in fact, I'd love using such a client

Call it Kibbeling.

WOAH

that's so cool on so many levels

:)

I know.

For those that aren't Dutch speakers:

Kibbeling is battered cob, but also the verb for, well, petty arguing

:D

Looking at the IETF89 mail, there's no Early-Bird for Day passes, is that right?

Kev: I don't think so

You don't think it's right, or you don't think there's an early-bird for day passes?

Of course Jabber is also etymologically dutch

But we don't hold that against it :)

intosi: please make a great mobile client named Kibbeling

Kev, Are you an ISOC member?

I am not.

Kev, You could join ISOC, and the England Chapter (there's no Wales), and then turn up on Tuesday for free. :-)

Oh. That sounds like a cunning wheeze. ISOC member get free day passes, or ... ?

On Tuesday.

If only it was a day that's more useful to me...wait, no.

https://code.google.com/p/webrtc/issues/detail?id=2923#c3 -- i'm wondering if that makes me sad... but then, i don't think anyone every liked libjingle

Not the XMPP bits, I think.

I think lots of people like the bits that're going into webrtc.

I really do need to sort out webrtc/Jingle in Swift.

Did we have any jingle-webrtc spec yet?

waqas: we have all the bits required for voice/video. but the sdp mapping is in several specs

So if an XMPP client author wants to interop with other clients, what should they look at? Is other clients' code the best thing at the moment?

waqas: test with swift?

Kev just said that still needs sorting out

oh, webrtc related?

Yes

https://github.com/legastero/jingle-interop-demos then -- the strophe is currently my preferred one

that will change next month though

Thanks

You will have your own next month?

nah, i'll steal stanzas jingle module from lance then

it looks like I need to update the interop demo thing to the proper 0338/0339 support though

Is there anything special these clients expect from the server? Jingle Relay Nodes support or anything like that?

mod_turncredentials is nice but for localhost-test or in the same network things should just work

xnyhps: https://twitter.com/booleanvalue/status/436637700280422400

It is interesting to read that people only now are starting to discover that Whatsapp is based on XMPP. And even though we might feel they messed it up royally, there are things to learn for us.

ralphm: certainly

I'd love seeing a mostly exact clone of whatsapp using standard XMPP protocols. I.e. similar easy of set up, identical feature set (not more), similar UI features. But federated. I'm not sure yet how to do some things (like magically having all your friends there if they also run the same app), though. Would be good to do that exercise.

ralphm: get enough VC...

fippo: heh. well, at least maybe we could think about the feature set and if we can do that with existing protocol

fippo: and figuring out contacts in federation context seems hard. In the centralized case, you can simply look up phone numbers.

Didn't someone do some research into privacy-aware "magically haivng all your friends there"

I think I am bit worked up on all the myths around XMPP.

Zash: I'd love to read papers on tht

that

http://mail.jabber.org/pipermail/standards/2013-February/027060.html