edhelasexcept that the node will be configured in "whitelist"
jonaswwho would manage that list?
jonaswthe client?
edhelasthe clients
jonaswhmm
jonaswwouldn’t it be better to have the server manage its
jonaswwouldn’t it be better to have the server manage it?
edhelaseach time you subscribe to a pubsub node you add your subscription in that list, the same way 0330 is doing
edhelasjonasw I've mentionned that years ago, this need deep refactoring of how pubsub is handled in XMPP
Ge0rGshouldn't the server automatically do the plumbing whenever you change that list, then?
jonaswedhelas, does it?
Ge0rGXMPP 2.0!
jonaswthe server can sniff the traffic just like it does for MIX
edhelasso for now I'm going for this solution, I'm doing that in Movim for a while already
KevThis is what Dave's PAM is for.
jonaswalternatively, turn it the other way like Ge0rG suggests (modifications to the PEP node you’re proposing cause subscribes/unsubscribes)
jonaswKev, #?
edhelasjonasw why not
Kev376
Ge0rGedhelas: that would conveniently solve multi-client too
edhelasGe0rG how do you think this will fit with https://xmpp.org/extensions/xep-0330.html ?
jonaswoh yes, XEP-0376 looks good
Ge0rGedhelas: I think it would be good to have a private list for subscription maintenance and a public list which is a subset of that
danielhas left
Syndacehas joined
blablahas joined
stefandxmhas left
stefandxmhas joined
danielhas left
FlowI always wonder if PAM couldn't be designed transparent using standard xep60 <subscription/>
Dave Cridlandhas left
jonaswFlow, yeah, like mix does it
Flowjonasw, isn't/wasn't MIX supposed to be using PAM for that?
jonaswI don’t think it does
FlowIIRC PAM was a result of Dave's and Kev's persistent groupchat discussion
Kevjonasw: It uses something very like PAM.
KevFlow: PAM was a Dave thing that I just jumped on because it makes sense for MIX, IIRC.
Flowso if it makes sense, then why isn't MIX using it?
KevMIX is using the same model, waiting to see if it makes sense to merge into PAM, or keep out.
Kev" In future, the specifications in this section MAY be moved to a separate XEP or it MAY be incorporated into Pubsub Account Management (XEP-0376) [18] (PAM) which follows a similar model. "
danielhas left
Steve KilleWhen I did the MIX editing, there was nothing I could usefully reference, so MIX includes what it needs.
danielhas left
danielhas left
danielhas left
stefandxmhas left
stefandxmhas joined
danielhas left
andyhas joined
danielhas left
jubalhhas joined
danielhas left
suzyohas joined
danielhas left
Guusdaniel, regarding your HTTP Upload 0.5 change: As various network components between the HTTP client and server might inject headers of their own, it feels wrong to me to impose a MUST on what headers clients are allowed to add. It implies that this defines the set of headers that the server receives. I suggest dropping the client requirement (as it's not really enforceable), and instead stress on a need for the server to ignore headers other than the allowed set.
jonaswGuus, did you follow the can-of-worms discussion this was in the last few days :)
jonaswthe argument is that the server could exploit the client to send a request to a third party, for example your home router
jonasw(essentially use the client as an HTTP proxy into the clients LAN)
jubalhhas left
KevSounds useful.
jonaswto reduce the impact of that, the selection of headers was restricted; even though it’s not entirely clear to me how that helps in that scenario, really.
Flowwhat jonasw said
jonaswbut Ge0rG kinda insisted on it
Guusjonasw, I didn't follow that discussion, no.
ZashOugh
GuusI'm also not understanding the argument.
ZashBottomless can-of-worms?
danielhas left
jonaswGuus, essentially, it’s something along the lines of the Same Origin Policy enforced by browsers and the Cross-Origin Request Sharing policies
Ge0rGWe can't fix web security, we can only restrict how much we are affected by it
danielGuus: I don't not fully understand the argument either. But I'm not bothered by it and it won't go through council w/o that change
GuusI'm not seeing how the client being prohibited to send certain headers prevents the server from sending anything it wants, abusive or not.
danielAnd I didn't even put headers into my original http upload
Ge0rGGuus: with arbitrary headers you will make the xmpp client a reverse proxy for malicious xmpp servers.
danielOr let me rephrase that. I understand the problem (broken http interfaces in your local network). I'm not sure that limiting the headers does anything to fix your china router
Guuscan you spell out that attack vector for me Ge0rG?
Guus(or point me to an archive?)
Ge0rGGuus: have a look at http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html#host please
andyhas left
Dave Cridlandhas left
suzyohas joined
stefandxmhas left
stefandxmhas joined
HolgerGe0rG: Isn't large parts of that article about playing with the request URI and the Host header? Which we place no restrictions on at all in XEP-0363?
Alexhas left
Zashhas left
remkohas joined
andyhas joined
GuusHow does the client not sending certain headers outwards prevent the server from crafting malicious requests inwards?
HolgerGuus: The reasoning is preventing your XMPP server from crafting malicious HTTP PUT requests performed by your client.
FlowGuus, hmm? It does not. But it's about the client performing requests
FlowAnd those requests are handled by your (broken) home router
danielhas left
Guusright, now I get it.
lskdjfhas joined
danielhas left
GuusThanks. I retract my earlier request to change the text :)
Guus(it was initially unclear to me that the text restricts only the headers-to-be-copied-from-the-server-instructions)
HolgerI get the idea too, I just still don't agree with imposing an arbitrary restriction due to a diffuse feeling this might reduce the impact on an attack performed by your trusted XMPP service we have not yet understood. But meh.
Guus<lunch>
edhelasI'd like to know if it's possible to "rename" a pubsub node
edhelaswould be really useful, especially when you have namespaces bump
andyhas left
suzyohas joined
suzyohas joined
Holgeredhelas: Won't the namespace usually only be bumped if the node contents change in some way?
remkohas joined
Alexhas joined
edhelaswell sometime you have clients that are developping features with their own namespace
edhelasthen it get standardized
edhelaslike for OMEMO and Conversations
jonaswprecisely the reason why the X-* antipattern was deprecated in the IETF
Ge0rGhas left
danielJust wait for Ge0rG to find out that you can use jingle to port scan your contacts network 😂
danielOr have your contact scan other networks
remkohas joined
danielBut we'll just grab the low hanging fruit before we get to the fancy stuff
Ge0rGdaniel: don't make me change my mind on Jingle Ft!
danielIdk. I vetoed it anyway
danielNot for that particular reason though
andyhas joined
Ge0rGdaniel: ah, right. outstanding feedback
danielbut now i want to write a jingle portscanner. you could even distribute this among your contacts
HolgerHehe I was thinking about Jingle exploits as well.
jonaswdaniel, build a webrtc portscanner. that should be much more impactful :)
jonaswwell, SOCKS5 is a proxy protocol. it is meant to be a proxy and open connections, people will probably have put the appropriate security measures on it to prevent abuse
Holgerjonasw: Wenn but I meant abusing the SOCKS5 client as a proxy in the Ge0rG sense.
jonaswoh;
jonaswhow does one trick a socks5 client into doing that?
Holgerjonasw: The server could send the client SI/Jingle initiation requests?
jonaswI’m probably not familiar how things work here
andyhas left
HolgerThe nice thing is that the server could do so actively, rather than waiting for the client to request upload slots.
danielHolger, clients might not (auto) accept that though
HolgerYes it will probably fail because they only support a different Jingle revision anyway.
daniel:-)
andyhas joined
jubalhhas joined
jubalhhas left
suzyohas joined
lumihas joined
andyhas left
andyhas joined
Guushas left
danielhas left
remkohas joined
andyhas left
jubalhhas left
jubalhhas left
Guushas left
Ge0rGhas left
Tobiashas left
jjrhhas left
la|r|mahas joined
Yagizahas left
Yagizahas left
stefandxmhas left
stefandxmhas joined
Guushas left
lumihas left
Guushas left
Dave Cridlandhas left
Dave Cridlandhas left
Tobiashas joined
la|r|mahas left
la|r|mahas joined
edhelashas left
blablahas joined
intosiHiding/obfuscation of your nickname on your (re)application is an unhelpful thing.
lskdjfhas joined
Ge0rGhas left
andyhas joined
Guusyet, not new.
intosiNot new, but that doesn't mean we shouldn't mention it when it happens, nor that we should consider whether we'd even want that.
GuusWasn't it Steve Jobs who didn't want his car to be identifiiable, and utilizing a legislation loophole where he could drive with a car without a number plate - thus making the car immediately stand out as his, as he was the only one doing that?
intosiI'm not intimately familiar with the car collections of tech CEOs.
GuusI always considered N********** to be a playful act.
moparisthebestAh ok was confused, I hate name changes :)
moparisthebestThat email has the best quote ever
moparisthebestIn Finland we have a saying for this sort of process: climbing a tree butt-first.
lovetoxhas joined
tuxhas joined
tuxhas left
jubalhhas left
remkohas joined
lovetoxhas left
lovetoxhas joined
MattJI went to a Lua meet-up at FOSDEM, and at the end someone asked how the Lua community stayed in touch. "Maybe we should use Telegram?" - I broke down on the spot
lovetoxhas left
Sevemoparisthebest, yeah, decided to change my name here. It felt weird to me to say 'I'm SouL' in person at FOSDEM hah
SeveI discovered that email because I've been reading all KDE emails regarding their migration from IRC to something else
NeustradamusSeve: ah ah
Neustradamushas left
moparisthebestSeve: try saying hi I'm moparisthebest
moparisthebestI solve that by just never meeting people in real life lol
mathieuiI still haven’t come up with a way of saying my nick in english non-awkwardly
moparisthebestAlso once I had to say lighttpd out loud in person
moparisthebestRough if you hadn't considered it before
moparisthebestMattJ: did you chew them a new one lol
SamWhitedis always tempted to change his name to abarthisthebest
moparisthebestI only like American, no replacement for displacement
SeveMattJ, did you tell them: 'Do you know who are you talking with!?'
Sad to hear that, though.
SamWhitedIt wasn't a great comparison… I was trying to think of other car companies that had something like mopar, but I think the others named divisions all actually make cars
moparisthebestSamWhited: GM is the analogy I always use
moparisthebestGeneral Motors
Neustradamushas joined
SamWhitedDo they have a named division or something like that?
SamWhited(what do you even call that?)
moparisthebestLike GM is to Chevrolet, GMC, Buick, Pontiac, Cadillac as Mopar is to Chrysler, Dodge, Jeep, Plymouth
Neustradamushas left
SamWhitedGM is just the parent company of those brands though, isn't it? Mopar just sells parts for Fiat and Chryslers and builds the occasional rally car
SamWhitedGM is to Chevrolet as Fiat is to Jeep or something like that
moparisthebestMaybe technically but those cars are just collectivity called mopars
SamWhitedah, okay
moparisthebestAnd they share plants and engines and such
moparisthebestThe big yearly meet drag race and car show is called the Mopar Nationals etc
SamWhitedGM is to Chevrolet as Fiat is to Mopar then
SamWhitedThis is an important classification to get correct in this chat room, obviously.
moparisthebestHaha so abarth and Chrysler/jeep/Dodge are all seemed by Fiat now looks like
Neustradamushas joined
SamWhitedI think Fiat and Chrysler merged, and Chrysler owned Jeep and maybe Dodge? I can never keep it straight.
moparisthebestWell again business wise maybe, but I'd just call them GM vehicles
moparisthebestWell it changes yearly I think
SamWhitedHuh, apparently fiat owns Alfa Romeo too, I didn't realize that
SamWhitedAnd Lancia, weird. Wish they'd bring them back.
SamWhitedgoes down the Wikipedia rabbit hole
moparisthebestLet me know when it loops back around to XMPP, good luck
jubalhhas joined
SamWhitedWe were talking about this at work yesterday actually… wikipedia races where each person starts on a random topic and has to get to a different topic only by clicking links on the page. Shortest path wins.
XSF Discussion - 2018-02-16