mathieuiHanno has good points (that we already know), but some stuff is factually wrong though
ZashHanno who's name I recognize from litsts like oss-sec?
SamWhitedThat should be good; wish I were there for that.
mathieuilike, he’s the one who found a nice series of PHP CVEs "reading random code on the train on the way to 33C3"
danielWho cares about facts though
mathieui(or raised the "gajim OTR leaks plaintext" CVE)
ZashTell them "Tradeoffs" and "Meh" from me.
SamWhitedThe description sounds pretty bang on; I'd be curious to know what he gets right/wrong in the actual talk.
danielmathieui: did he?
mathieuidaniel, "raised", after it was fixed
danielI was under the impression that this was lovetox
danielWho found the bug
Zashraised as in, so it got a CVE number?
mathieuiso he still is kind of up-to-date and knowledgeable, I mean
danielShould have brought some straw for all the men he is building
SamWhitedOh joy, another one of those; *sigh* I keep hoping someone will have an actual talk about this.
Link MauveZash, https://www.zash.se/xmpp-features.html is now zero bytes.
ZashLink Mauve: now then
Link MauveZash, thanks.
Link MauveOh, I didn’t contribute the server part of 0375?
danielI like how his rhetorical question bomb completely. 'who here ever received xmpp spam?' almost nobody raises hand. 'who here ever used xmpp video chat?' lots of people raise hand
mathieuiwell, if he asked if people were using video chat often, it might have been a different answer
Link MauveI actually use Jitsi Meet as my sole personal video chat client.
edhelasmathieui, I'll call you after the conference to talk about it ;)
mathieuiI used XMPP video chat, 5 years ago, twice
Link MauveI helped ThibG test his implementation in Gajim 0.14, twice.
ZashDidn't we use Jitsi meet at some recent summit?
SamWhitedWe used it at the Austin one (it worked very well, if I do say so myself)
ZashLink Mauve: That sounds like thing I might have done as well.
mathieuiso if I hear correctly one guy just suggested we should contribute to signal instead of writing XEPs
ZashWhat's the point when I can't run my own server?
edhelasincoming XEP-xxxx : Signal over XMPP
xnyhpsZash: You can, but you're on there alone.
SamWhitedI wonder why we should contribute to signal instead of signal contributing to us… or why signal over <insert other favorite messaging app here>
SamWhitedOr why these two things are even related at all
mathieuiSamWhited, it has to mostly open-source
ZashIsn't that basically OMEMO?
mathieuiSamWhited, although, I kind of agree that people complaining that signal uses GCM should just finish the pull request adding websocket support
mathieuibut I personnally don’t care obviously
SamWhitedI don't care about any of that; I was just pointing out that the argument could go either way
ZashNo, everyone should go invent yet another messaging thing from scratch for no reason!
Link MauveZash, disrupt!
waqasZash: The big issue here is a lack of JSON. XEP-0295 has been out for years, yet implementations are scarce.
ZashTry adding more JSON?
TobiasNobody was ever fired for using JSON
SamWhitedWere there any good points in the talk? We can mock, but this is an actual problem and it would be nice to solve some of XMPP's random incompatibilities.
SamWhitedThis is why I still think we need to deprecate privacy lists, and XHTML-IM, and Message Archiving, etc. even if no full replacement exists yet. It just leads to confusion, a fragmented ecosystem, and talks like this.
ZashYes, a summary would be neat to hear before I run out of Futurama episodes to watch instead of going to sleep.
waqasagrees with SamWhited about it being an actual problem to be discussed and solved
ZashXHTML-IM is bad now?
SamWhitedI certainly think so; nothing that supports it renders anything the same as anything else that supports it, and I have yet to find a web client that supports it which I couldn't script inject.
SamWhitedEven if you only look at a single client and don't care if things render exactly the same between clients, you can pretty much always break that particular clients UI with it (by introducing images or huge text or whatever)
SamWhitedI don't know if that was one of the specific complaints people had; I was just trying to think of examples of things that I think break XMPP clients UX
ZashNot that I personally would miss it, but I would care more for semantics than exact rendering.
ZashAlso, you should try to find the giant stick labeled 'Is the new MAM revision done yet?' and poke MattJ with it.
ZashAnd whatever happened with Carbons?
ZashWasn't it supposed to be Draft-ified or updated or something?
SamWhitedThe Carbons last-call kind of died out; I should bring that back up again.
SamWhitedI don't remember why; I'm sure there was some update that needed doing.
mathieuiSamWhited, all in all it was a pretty balanced talk
mathieuislides will be online
SamWhitedrefreshes the page a bunch :)
ZashSamWhited: Tell me when to refresh the page so I can refresh the page.
TobiasSamWhited, will write some mail to standards/members ML...the manifesto as nice, but is outdated for nowaday security standards
SamWhitedZash: refresh the page
Tobiascompliance suites are nice, but the latest one doesn't include E2E security (OMEMO wasn't a XEP yet then)
SamWhited(the website is the slides, I just discovered)
SamWhitedOoh yah, we should definitely add it now that it is.
ZashHold on, I closed the page, let me just scroll up and find the link again so I can open it and refresh it.
ZashOh neat, only 22 hits for "Signal" in the slides
SamWhitedIt seems to me that his core premise is that all messages should be e2e encrypted all the time and that there should be no plaintext fallback, but I disagree with that as a valid assumption. His foundation feels a bit shakey.
TobiasSamWhited, we should have the client list on xmpp.org sorted by support of compliance suite features...simular to that page from daniel where he shows what service support which XEPs
mathieuiSamWhited, I agree with you, but I see his point
mathieuiI mean, ideally you should choose your admin, but ideally you should still not be 100% hoping on his goodwill
TobiasSamWhited, and modernize that manifesto for requiring TLS 1.2 support, cleaning up inconsistencies, etc.
ZashIdeally you should choose an admin within range of a tactical ballistic stones throw.
moparisthebestBut you can have that now with omemo, hell you could have it 10? Years ago with pgp xep27
SamWhitedI do agree with his assertion that having OMEMO and new-PGP is poor and not well justified; we should fix that too.
moparisthebestDifferent use cases SamWhited
moparisthebestOmemo forces forward secrecy, sometimes you don't want that
SamWhitedI don't disagree with that, but I don't think it's a good enough reason to have two separate crypto protocols.
Tobiasmoparisthebest, it only forces it as implementation detail, doesn't it?...if you never delete your keys, you won't have FS, not?
SamWhitedHis very next slide says "Is it good to idealize choice and sacrifice interoperability and security?" and I think the answer is no; we should only support OMEMO even if it means the no-FS use case isn't covered.
SamWhited(in my mind)
moparisthebestSo I use xep27 for notifications from my servers, cronjobs and such I used to use email for
Tobiasright..but in the end it's protocol choice
moparisthebestI'm not clear I could use omemo for that
Tobiasif hte new PGP XEP won't be part of the compliance suite, but omemo will, client devs have less incentive to implement it
moparisthebestAt least without keeping my keys too long etc
Tobiasmoparisthebest, i'm sure omemo could also be used by notification bots
SamWhitedIf it's a notification from your server isn't it already end-to-end encrypted (from the server to you) by virtue of using TLS?
moparisthebestTobias: well it connects, send the message and then disconnects
SamWhitedoh, not from your XMPP server, just "from my servers"; nevermind.
moparisthebestSamWhited: yes, but why not pgp also? :-)
Tobiasright..but as long as it fetches the correct prekeys from the receipient via PEP
SamWhitedmoparisthebest: because you've just increased your attack surface drastically and your reasoning is "why not"
mathieuiSamWhited, we usually refer to TLS as point-to-point, obviously
Tobiasdaniel, there's nothing preventing a script from connecting, sending a omemo message, and disconnecting, right?
ZashThat Prosody bug possibly.
moparisthebestSamWhited: I think it reduces attack surface, like if a tls bug happens, I'm fine
SamWhitedAdding more things with the argument "why not" is *never* an okay way to engineer anything. Redundancy can be good, but it generally needs justification. In this case you're just introducing more dependencies to a system that's complex already (more dependencies that can have their own vulnerabilities and issues which I could potentially attack).
moparisthebestThen take out tls all together
moparisthebestAfter all these messages don't matter
SamWhitedIn this case I'd argue that adding more stuff is at best pointless, and at worst dangerous.
Tobiasi hope the MIX step has nothing redudant in it...i'll have to read it :)
moparisthebestThey are like, just renewed a cert
SamWhitedThose slides were pretty excellent; now I'm even more sad I wasn't there. Thanks for the link!
Tobiaswhat was daniel's webpage that shows what service supports which XEP?