edhelasexcept that the node will be configured in "whitelist"
jonaswwho would manage that list?
jonaswwouldn’t it be better to have the server manage its
jonaswwouldn’t it be better to have the server manage it?
edhelaseach time you subscribe to a pubsub node you add your subscription in that list, the same way 0330 is doing
edhelasjonasw I've mentionned that years ago, this need deep refactoring of how pubsub is handled in XMPP
Ge0rGshouldn't the server automatically do the plumbing whenever you change that list, then?
jonaswedhelas, does it?
jonaswthe server can sniff the traffic just like it does for MIX
edhelasso for now I'm going for this solution, I'm doing that in Movim for a while already
KevThis is what Dave's PAM is for.
jonaswalternatively, turn it the other way like Ge0rG suggests (modifications to the PEP node you’re proposing cause subscribes/unsubscribes)
edhelasjonasw why not
Ge0rGedhelas: that would conveniently solve multi-client too
edhelasGe0rG how do you think this will fit with https://xmpp.org/extensions/xep-0330.html ?
jonaswoh yes, XEP-0376 looks good
Ge0rGedhelas: I think it would be good to have a private list for subscription maintenance and a public list which is a subset of that
FlowI always wonder if PAM couldn't be designed transparent using standard xep60 <subscription/>
Dave Cridlandhas left
jonaswFlow, yeah, like mix does it
Flowjonasw, isn't/wasn't MIX supposed to be using PAM for that?
jonaswI don’t think it does
FlowIIRC PAM was a result of Dave's and Kev's persistent groupchat discussion
Kevjonasw: It uses something very like PAM.
KevFlow: PAM was a Dave thing that I just jumped on because it makes sense for MIX, IIRC.
Flowso if it makes sense, then why isn't MIX using it?
KevMIX is using the same model, waiting to see if it makes sense to merge into PAM, or keep out.
Kev" In future, the specifications in this section MAY be moved to a separate XEP or it MAY be incorporated into Pubsub Account Management (XEP-0376)  (PAM) which follows a similar model. "
Steve KilleWhen I did the MIX editing, there was nothing I could usefully reference, so MIX includes what it needs.
Guusdaniel, regarding your HTTP Upload 0.5 change: As various network components between the HTTP client and server might inject headers of their own, it feels wrong to me to impose a MUST on what headers clients are allowed to add. It implies that this defines the set of headers that the server receives. I suggest dropping the client requirement (as it's not really enforceable), and instead stress on a need for the server to ignore headers other than the allowed set.
jonaswGuus, did you follow the can-of-worms discussion this was in the last few days :)
jonaswthe argument is that the server could exploit the client to send a request to a third party, for example your home router
jonasw(essentially use the client as an HTTP proxy into the clients LAN)
jonaswto reduce the impact of that, the selection of headers was restricted; even though it’s not entirely clear to me how that helps in that scenario, really.
Flowwhat jonasw said
jonaswbut Ge0rG kinda insisted on it
Guusjonasw, I didn't follow that discussion, no.
GuusI'm also not understanding the argument.
jonaswGuus, essentially, it’s something along the lines of the Same Origin Policy enforced by browsers and the Cross-Origin Request Sharing policies
Ge0rGWe can't fix web security, we can only restrict how much we are affected by it
danielGuus: I don't not fully understand the argument either. But I'm not bothered by it and it won't go through council w/o that change
GuusI'm not seeing how the client being prohibited to send certain headers prevents the server from sending anything it wants, abusive or not.
danielAnd I didn't even put headers into my original http upload
Ge0rGGuus: with arbitrary headers you will make the xmpp client a reverse proxy for malicious xmpp servers.
danielOr let me rephrase that. I understand the problem (broken http interfaces in your local network). I'm not sure that limiting the headers does anything to fix your china router
Guuscan you spell out that attack vector for me Ge0rG?
Guus(or point me to an archive?)
Ge0rGGuus: have a look at http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html#host please
Dave Cridlandhas left
HolgerGe0rG: Isn't large parts of that article about playing with the request URI and the Host header? Which we place no restrictions on at all in XEP-0363?
GuusHow does the client not sending certain headers outwards prevent the server from crafting malicious requests inwards?
HolgerGuus: The reasoning is preventing your XMPP server from crafting malicious HTTP PUT requests performed by your client.
FlowGuus, hmm? It does not. But it's about the client performing requests
FlowAnd those requests are handled by your (broken) home router
Guusright, now I get it.
GuusThanks. I retract my earlier request to change the text :)
Guus(it was initially unclear to me that the text restricts only the headers-to-be-copied-from-the-server-instructions)
HolgerI get the idea too, I just still don't agree with imposing an arbitrary restriction due to a diffuse feeling this might reduce the impact on an attack performed by your trusted XMPP service we have not yet understood. But meh.
edhelasI'd like to know if it's possible to "rename" a pubsub node
edhelaswould be really useful, especially when you have namespaces bump
Holgeredhelas: Won't the namespace usually only be bumped if the node contents change in some way?
edhelaswell sometime you have clients that are developping features with their own namespace
edhelasthen it get standardized
edhelaslike for OMEMO and Conversations
jonaswprecisely the reason why the X-* antipattern was deprecated in the IETF
danielJust wait for Ge0rG to find out that you can use jingle to port scan your contacts network 😂
danielOr have your contact scan other networks
danielBut we'll just grab the low hanging fruit before we get to the fancy stuff
Ge0rGdaniel: don't make me change my mind on Jingle Ft!
danielIdk. I vetoed it anyway
danielNot for that particular reason though
Ge0rGdaniel: ah, right. outstanding feedback
danielbut now i want to write a jingle portscanner. you could even distribute this among your contacts
HolgerHehe I was thinking about Jingle exploits as well.
jonaswdaniel, build a webrtc portscanner. that should be much more impactful :)
Holgerjonasw: Wenn but I meant abusing the SOCKS5 client as a proxy in the Ge0rG sense.
jonaswhow does one trick a socks5 client into doing that?
Holgerjonasw: The server could send the client SI/Jingle initiation requests?
jonaswI’m probably not familiar how things work here
HolgerThe nice thing is that the server could do so actively, rather than waiting for the client to request upload slots.
danielHolger, clients might not (auto) accept that though
HolgerYes it will probably fail because they only support a different Jingle revision anyway.
Dave Cridlandhas left
Dave Cridlandhas left
intosiHiding/obfuscation of your nickname on your (re)application is an unhelpful thing.
Guusyet, not new.
intosiNot new, but that doesn't mean we shouldn't mention it when it happens, nor that we should consider whether we'd even want that.
GuusWasn't it Steve Jobs who didn't want his car to be identifiiable, and utilizing a legislation loophole where he could drive with a car without a number plate - thus making the car immediately stand out as his, as he was the only one doing that?
intosiI'm not intimately familiar with the car collections of tech CEOs.
GuusI always considered N********** to be a playful act.
moparisthebestI only like American, no replacement for displacement
SeveMattJ, did you tell them: 'Do you know who are you talking with!?'
Sad to hear that, though.
SamWhitedIt wasn't a great comparison… I was trying to think of other car companies that had something like mopar, but I think the others named divisions all actually make cars
moparisthebestSamWhited: GM is the analogy I always use
SamWhitedDo they have a named division or something like that?
SamWhited(what do you even call that?)
moparisthebestLike GM is to Chevrolet, GMC, Buick, Pontiac, Cadillac as Mopar is to Chrysler, Dodge, Jeep, Plymouth
SamWhitedGM is just the parent company of those brands though, isn't it? Mopar just sells parts for Fiat and Chryslers and builds the occasional rally car
SamWhitedGM is to Chevrolet as Fiat is to Jeep or something like that
moparisthebestMaybe technically but those cars are just collectivity called mopars
moparisthebestAnd they share plants and engines and such
moparisthebestThe big yearly meet drag race and car show is called the Mopar Nationals etc
SamWhitedGM is to Chevrolet as Fiat is to Mopar then
SamWhitedThis is an important classification to get correct in this chat room, obviously.
moparisthebestHaha so abarth and Chrysler/jeep/Dodge are all seemed by Fiat now looks like
SamWhitedI think Fiat and Chrysler merged, and Chrysler owned Jeep and maybe Dodge? I can never keep it straight.
moparisthebestWell again business wise maybe, but I'd just call them GM vehicles
moparisthebestWell it changes yearly I think
SamWhitedHuh, apparently fiat owns Alfa Romeo too, I didn't realize that
SamWhitedAnd Lancia, weird. Wish they'd bring them back.
SamWhitedgoes down the Wikipedia rabbit hole
moparisthebestLet me know when it loops back around to XMPP, good luck
SamWhitedWe were talking about this at work yesterday actually… wikipedia races where each person starts on a random topic and has to get to a different topic only by clicking links on the page. Shortest path wins.