XSF Discussion - 2014-02-20

  1. xnyhps

    Their auth is a pile of stuff, including HTTP. Facebook too, btw.

  2. Tobias

    i thought FB was full on the MQTT train now

  3. waqas has left

  4. Jef has left

  5. Link Mauve has joined

  6. waqas has joined

  7. Neustradamus has left

  8. Neustradamus has joined

  9. Lance has joined

  10. Neustradamus has left

  11. Santiago26 has left

  12. Lance has joined

  13. Neustradamus has joined

  14. jabberjocke has left

  15. Lance has joined

  16. Tobias has left

  17. waqas has left

  18. Lance has joined

  19. emcho has left

  20. waqas has joined

  21. Lance has joined

  22. Lance has joined

  23. Lance has left

  24. stpeter has left

  25. Tobias has left

  26. Lance has joined

  27. Lance has left

  28. waqas has left

  29. Lance has joined

  30. Lance has left

  31. fippo

    http://xmpp.org/2014/02/second-security-test-day/ <-- I don't get the 12.5% ... it's the percentage of servers that now requires encryption, right?

  32. Simon has joined

  33. emcho has joined

  34. emcho has left

  35. emcho has joined

  36. emcho has left

  37. Link Mauve has joined

  38. emcho has joined

  39. Lance has joined

  40. Alex has joined

  41. emcho has left

  42. emcho has joined

  43. Ge0rG

    fippo: I would suppose so... even though the wording in the blog post implies traffic, not servers

  44. Lance has joined

  45. Simon

    Still getting over the WhatsApp price. (works out at $40/user)

  46. Laura has joined

  47. Simon considers selling off users on my family XMPP server.

  48. Jef has joined

  49. Laura

    Just wanted to share the meetup link for the London XMPPUK Meetup http://www.meetup.com/XMPP-UK-Meetup/

  50. fippo

    laura: you should prod lloyd about showing webrtcish stuff and invite https://twitter.com/disruptivedean/status/436063951932379136 :-)

  51. Laura

    fippo: Off to prod Lloyd

  52. Kev

    Laura: Thanks. I'd have thought a mail to some lists would probably be appropriate (unless you already have, and I missed it).

  53. Zash has joined

  54. Laura

    I am talking to Lloyd about lists to send to. I managed the XMPPUK mailing list, but something tells me Lloys has others!

  55. intosi

    No doubt some lists we don't want to know about ;)

  56. Lloyd has joined

  57. Kev

    Laura: Thanks.

  58. Lloyd

    aslso http://lanyrd.com/2014/xmppuk/

  59. Lloyd

    fippo: I'm probably not going to be able to attend this meetup. Will still be organising with Laura though.

  60. Jef has left

  61. fippo

    lloyd: you don't need to get dean bubley to that particular meetup, just convince him that the xmpp meetup is where the cool webrtc stuff happens in london :-)

  62. Simon

    Get James Body there, and Dean Bubley will be in tow.

  63. Lloyd

    fippo: tweeted him about it. Thanks.

  64. Ge0rG

    are there any known xmpp servers that break if a client does not set the from attribute on outgoing message or presence stanzas?

  65. ralphm

    xnyhps: have you ever looked into cryptocat?

  66. xnyhps

    I've looked over it, yes. Why?

  67. Ge0rG

    it's full of cats

  68. ralphm

    xnyhps: wondering how well it was made, security-wise and overall

  69. Ge0rG

    it's had a bunch of security issues in the past, but the developers promised to do it better

  70. xnyhps

    I only looked at it from the context of iq-spoofing, which they aren't vulnerable to, because they don't send any iqs except for IBR. I did report that the usage of an incrementing counter for iqs leaks information about yourself, and that was promptly fixed.

  71. ralphm

    are they involved with the XSF?

  72. xnyhps

    Don't think so

  73. ralphm

    I noticed they are working on a new protocol for groups, but it doesn't seem based on xmpp

  74. xnyhps

    Groups? You mean encrypted group chat?

  75. Kev

    are there any known xmpp servers that break if a client does not set the from attribute on outgoing message or presence stanzas? Ge0rG @ 10:51 No, and clients should generally not do it, as it adds no value. The server has to overstamp it anyway.

  76. Tobias

    multiparty OTR

  77. xnyhps

    They have an implementation of mpOTR, yes, but even in the OTR community it is still controversial.

  78. Ge0rG

    Kev: I'm currently working on http://issues.igniterealtime.org/browse/SMACK-538 - and I have a report from one person running ancient ejabberd (2.1.5 forked) that forwards presences without adding the from field, making some clients on the other side crash

  79. Kev

    Ge0rG: I wasn't aware that there was ever a server that broken.

  80. Kev

    It's very clear in the RFC that the server has to do this.

  81. Ge0rG

    Kev: me neither. But I need to triangulate that to have a strong argument against adding from=ownJID for conservative compliance reasons.

  82. Kev

    The strong argument is that if you get it slightly wrong, your server will start bouncing your messages, I think.

  83. Ge0rG

    whoops, that was the wrong SMACK issue. http://issues.igniterealtime.org/browse/SMACK-547 is right, sorry

  84. xnyhps

    Hm. It was mentioned in the original Pidgin security issue that started the iq spoofing thing that the 'from' could be spoofed too, but I didn't investigate that.

  85. Kev

    xnyhps: Spoofed in what way, though?

  86. Ge0rG

    Kev: as I read the spec, the server may not bounce if the from field is wrong

  87. xnyhps

    They weren't specific.

  88. Kev

    Servers either reject messages sent from the wrong JID, or overstamp the right one.

  89. xnyhps

    But it was suggested they could override it to anything.

  90. Ge0rG

    Kev: do you know servers that reject?

  91. Ge0rG

    I would assume it is against the spec

  92. Kev


  93. Ge0rG

    Kev: thanks very much

  94. Kev

    (But I agree that just reading implies that you can't bounce a client trying to spoof other addresses)

  95. Ge0rG

    so both behaviors are technically "right"?

  96. Kev

    I think the two bits of the RFC aren't entirely consistent - but yes, I would expect either to be right.

  97. Kev

    If a client starts trying to spoof 'from' addresses, it would seem sensible that a server can start rejecting the stanzas (or balefiring the user), to me.

  98. Ge0rG

    This is sensible indeed. Though it might be just caused by a client failing the IDNA nodeprep of its resource string, or forgetting to add a resource to its JID

  99. Kev

    Which are good reasons for clients not to try to do this themselves, given that servers have to do it form them anyway.

  100. Tobias has joined

  101. emcho has left

  102. emcho has joined

  103. emcho has left

  104. Lance has joined

  105. fippo

    lloyd: challenge accepted... :-p

  106. fippo

    seven cameras + four headsets

  107. Lloyd


  108. Jef has joined

  109. Tobias has joined

  110. Tobias has left

  111. Tobias has joined

  112. Ge0rG

    Just got a user request for yaxim: "Please rebrand xmpp instant messaging to 'Xmpp Texting' To help people escape from mobile carrier sms texting extortion"

  113. Ge0rG

    maybe XMPP needs a new fresh look?

  114. Zash has joined

  115. Simon

    XMPP Texting, XMPP IoT, XMPP Social, XMPP Video… All ™'d of course.

  116. Simon has left

  117. Simon has joined

  118. intosi


  119. intosi

    A real Internet of XMPP, or IoX™

  120. ralphm

    I'm still not sure about using 'XMPP' for branding.

  121. Ge0rG

    ralphm: what else? "Jabber"?

  122. Ge0rG

    intosi: I like that. from ox to yaxs it is merely a small step

  123. waqas has joined

  124. ralphm

    Ge0rG: Of course the Jabber trademark has some issues, but it can be licensed through the XSF.

  125. ralphm

    Ge0rG: I personally like it a lot, some in our community don't. I can see that.

  126. Zash has joined

  127. Ge0rG

    ralphm: to me, Jabber sounds old and un-snappy. Maybe it is because people often say "do not use that any more, use XMPP instead"

  128. ralphm

    Ge0rG: but there is a reason I had the Jabber bean bag made. As a word, leaving the TM things aside, Jabber is way better for branding than XMPP ever will.

  129. Ge0rG

    ralphm: +1

  130. ralphm

    Ge0rG: yeah, there is a lot of confusion around it

  131. Simon

    Developers seem to talk about XMPP now. This is the discussion on Hackernews about WhatsApp - https://news.ycombinator.com/item?id=7266618 (Jabber: 1 XMPP: lots more)

  132. Ge0rG

    they also talk about threema there. and what not.

  133. Simon googles threema

  134. ralphm

    Simon: yes. Developers is not the target audience for Whatsapp users.

  135. Ge0rG

    ralphm: we could reinforce the "Jabber" term by naming the compliance suite accordingly

  136. Ge0rG

    I wish it were... hundreds of millions of developers all over the world!

  137. ralphm

    XMPP — Jabber is exactly like HTTP — Web

  138. ralphm

    Ge0rG: oh, don't take me wrong, I think it is fine that devs talk about XMPP

  139. ralphm

    Also, the figure of hundreds of millions of developers would mean that roughly 5% of the entire worlds' population is a developer. That seems a bit too much.

  140. Ge0rG

    ralphm: sure. but a compliance badge would be something visible to end-users

  141. Ge0rG

    ralphm: do not stomp onto my dreams!

  142. intosi

    ralphm: but now that there are RasPi's, every kid is a developer again, right?

  143. ralphm

    intosi: do the math

  144. Ge0rG

    with raspis, NAT and owncloud-everything, it is high time to mandate s2s-0198

  145. intosi

    ralphm: nah, it's more fun not doing it and imagining most kids around the world programming and creating stuff.

  146. ralphm

    there are roughly 2 million Pis sold in total

  147. intosi

    ralphm: don't spoil my dream with proper facts and reason, please ;)

  148. Lance has joined

  149. emcho has joined

  150. Lance has joined

  151. Maranda has joined

  152. Simon has left

  153. bear has joined

  154. Simon has joined

  155. ralphm


  156. ralphm

    sure is busy today

  157. Tobias

    The site's security certificate is not trusted! :D

  158. ralphm

    Tobias: I trust it

  159. ralphm

    so that's false

  160. Tobias

    honest achmet trusts it too, i suppose

  161. ralphm

    Tobias: I suppose the question is, who do you trust (more): me or a random list of CAs?

  162. Zash

    ralphm: Get you some DNSEC & DANE :)

  163. Tobias

    surely the random list of CAs.... :)

  164. Kev

    ralphm: How can we trust that the list of CA's is cryptographically random?

  165. Kev


  166. Tobias

    Key Chain lists them in a rather sorted, not random fashion

  167. intosi

    I trust that cert, but that might be because I also generated the key ;)

  168. Tobias

    intosi, are you sure it's the same key it was when you've generated it? :)

  169. Simon has left

  170. intosi

    Tobias: fairly sure, yes.

  171. bear has left

  172. waqas has left

  173. emcho has left

  174. emcho has joined

  175. ralphm

    Kev: point.

  176. Lance has joined

  177. waqas has joined

  178. m&m has joined

  179. waqas has left

  180. Lance has joined

  181. Zash has left

  182. Maranda has left

  183. emcho has left

  184. emcho has joined

  185. waqas has joined

  186. Zash has joined

  187. dwd

    Since the BBC has declared WhatsApp as an "incredibly useful" massaging service, should we ensure that everyone knows XMPP is a fully federated massaging service?

  188. Lloyd

    I think there might be a link between WhatsApp and XMPP too

  189. dwd

    Right, WhatsApp being like XMPP except less secure and generally screwed up.

  190. Zash

    "If you think WhatsApp is good, wait till you see a Proper XMPP Client"

  191. Lloyd

    None of the advantages and more of the mistakes

  192. Zash

    whenever that happens

  193. Lloyd

    We need to get Laura to spam all the blog posts / news stories with XMPP-aganda

  194. Ge0rG

    a massaging service is something I could need right now

  195. Ge0rG

    hey dwd, you wanted to do some major yaxim rebasing! :D

  196. intosi

    WhatsApp is to XMPP what fish fingers are to actual fish.

  197. fippo

    intonsi: tweet that!

  198. intosi

    Will do :)

  199. Ge0rG

    is the bad quality of fish fingers a widely-accepted fact among the tech community?

  200. ralphm

    Zash: I'm so good at waiting. Please make it happen.

  201. intosi


  202. intosi

    In any case it's fish morphed beyond recognition.

  203. Zash

    oh lawd https://raw.github.com/github/dmca/master/2014-02-12-WhatsApp.md

  204. ralphm

    intosi: WhatsApp is to XMPP what Chicken McNuggets™ are to chicken?

  205. intosi

    Same thing, really.

  206. ralphm

    I see a meme coming

  207. intosi

    Cut it up, batter it, deep fry, …, profit.

  208. intosi

    Where … probably is "let CMOT Dibbler convince people it's as good as saussage-in-a-bun"

  209. Zash

    Deep-fried XMPP

  210. Zash


  211. ralphm

    intosi: if it was only cut/batter/deep fry, it wouldn't be so bad

  212. ralphm

    in fact, I'd love using such a client

  213. intosi

    Call it Kibbeling.

  214. ralphm


  215. ralphm

    that's so cool on so many levels

  216. intosi


  217. intosi

    I know.

  218. ralphm

    For those that aren't Dutch speakers:

  219. ralphm

    Kibbeling is battered cob, but also the verb for, well, petty arguing

  220. Zash


  221. Kev

    Looking at the IETF89 mail, there's no Early-Bird for Day passes, is that right?

  222. emcho has left

  223. ralphm

    Kev: I don't think so

  224. Kev

    You don't think it's right, or you don't think there's an early-bird for day passes?

  225. ralphm

    Of course Jabber is also etymologically dutch

  226. Kev

    But we don't hold that against it :)

  227. emcho has joined

  228. ralphm

    intosi: please make a great mobile client named Kibbeling

  229. dwd

    Kev, Are you an ISOC member?

  230. Kev

    I am not.

  231. dwd

    Kev, You could join ISOC, and the England Chapter (there's no Wales), and then turn up on Tuesday for free. :-)

  232. Kev

    Oh. That sounds like a cunning wheeze. ISOC member get free day passes, or ... ?

  233. dwd

    On Tuesday.

  234. Kev

    If only it was a day that's more useful to me...wait, no.

  235. stpeter has joined

  236. Lance has joined

  237. Maranda has joined

  238. dezant has joined

  239. m&m has left

  240. m&m has joined

  241. Lance has joined

  242. Tobias has left

  243. m&m has left

  244. m&m has joined

  245. m&m has left

  246. m&m has joined

  247. fsteinel has joined

  248. emcho has left

  249. Emil Ivov has joined

  250. fsteinel has left

  251. Lance has joined

  252. Laura has left

  253. Lance has joined

  254. ralphm has left

  255. Tobias has joined

  256. Lance has joined

  257. Lance has left

  258. Emil Ivov has left

  259. Tobias has left

  260. Tobias has joined

  261. joakim eriksson has joined

  262. Maranda has left

  263. joakim eriksson has left

  264. m&m has left

  265. emcho has joined

  266. bear has joined

  267. Santiago26 has joined

  268. waqas has left

  269. waqas has joined

  270. jabberjocke has joined

  271. Santiago26 has left

  272. emcho has left

  273. emcho has joined

  274. fippo

    https://code.google.com/p/webrtc/issues/detail?id=2923#c3 -- i'm wondering if that makes me sad... but then, i don't think anyone every liked libjingle

  275. Kev

    Not the XMPP bits, I think.

  276. Kev

    I think lots of people like the bits that're going into webrtc.

  277. Kev

    I really do need to sort out webrtc/Jingle in Swift.

  278. waqas

    Did we have any jingle-webrtc spec yet?

  279. emcho has left

  280. fippo

    waqas: we have all the bits required for voice/video. but the sdp mapping is in several specs

  281. Emil Ivov has joined

  282. waqas

    So if an XMPP client author wants to interop with other clients, what should they look at? Is other clients' code the best thing at the moment?

  283. fippo

    waqas: test with swift?

  284. waqas

    Kev just said that still needs sorting out

  285. fippo

    oh, webrtc related?

  286. waqas


  287. fippo

    https://github.com/legastero/jingle-interop-demos then -- the strophe is currently my preferred one

  288. fippo

    that will change next month though

  289. waqas


  290. waqas

    You will have your own next month?

  291. fippo

    nah, i'll steal stanzas jingle module from lance then

  292. fippo

    it looks like I need to update the interop demo thing to the proper 0338/0339 support though

  293. waqas

    Is there anything special these clients expect from the server? Jingle Relay Nodes support or anything like that?

  294. fippo

    mod_turncredentials is nice but for localhost-test or in the same network things should just work

  295. Lloyd has left

  296. Alex has left

  297. stpeter has left

  298. Emil Ivov has left

  299. emcho has joined

  300. emcho has left

  301. emcho has joined

  302. stpeter has joined

  303. ralphm

    xnyhps: https://twitter.com/booleanvalue/status/436637700280422400

  304. ralphm

    It is interesting to read that people only now are starting to discover that Whatsapp is based on XMPP. And even though we might feel they messed it up royally, there are things to learn for us.

  305. stpeter

    ralphm: certainly

  306. ralphm

    I'd love seeing a mostly exact clone of whatsapp using standard XMPP protocols. I.e. similar easy of set up, identical feature set (not more), similar UI features. But federated. I'm not sure yet how to do some things (like magically having all your friends there if they also run the same app), though. Would be good to do that exercise.

  307. Maranda has joined

  308. fippo

    ralphm: get enough VC...

  309. ralphm

    fippo: heh. well, at least maybe we could think about the feature set and if we can do that with existing protocol

  310. ralphm

    fippo: and figuring out contacts in federation context seems hard. In the centralized case, you can simply look up phone numbers.

  311. Zash

    Didn't someone do some research into privacy-aware "magically haivng all your friends there"

  312. ralphm

    I think I am bit worked up on all the myths around XMPP.

  313. ralphm

    Zash: I'd love to read papers on tht

  314. ralphm


  315. Zash