XSF Discussion - 2018-02-16

sort of, it's polling based by default, IIRC so even with only two servers in a 1:1 it's not very efficient.

not that it really matters in that case for most people

Yeah I think everyone runs it 24/7 so there's too little incentive to implement MAM.

(Er, the message I was responding to was old.)

Threads plz

Or an in-reply-to thing

Or real quotes and not just quotes :)

Seve: did you talk to KDE yet? 😉

Not yet, sorry. I've got a lot of work and haven't been able to put my hands on it :(

I'll have to work on a new XEP to store the user pubsub subscriptions in a PEP node

basically this XEP will be the same as https://xmpp.org/extensions/xep-0333.html

https://xmpp.org/extensions/xep-0330.html sorry

except that the node will be configured in "whitelist"

who would manage that list?

the client?

the clients

hmm

wouldn’t it be better to have the server manage it? ✏

each time you subscribe to a pubsub node you add your subscription in that list, the same way 0330 is doing

jonasw I've mentionned that years ago, this need deep refactoring of how pubsub is handled in XMPP

shouldn't the server automatically do the plumbing whenever you change that list, then?

edhelas, does it?

XMPP 2.0!

the server can sniff the traffic just like it does for MIX

so for now I'm going for this solution, I'm doing that in Movim for a while already

This is what Dave's PAM is for.

alternatively, turn it the other way like Ge0rG suggests (modifications to the PEP node you’re proposing cause subscribes/unsubscribes)

Kev, #?

jonasw why not

376

edhelas: that would conveniently solve multi-client too

Ge0rG how do you think this will fit with https://xmpp.org/extensions/xep-0330.html ?

oh yes, XEP-0376 looks good

edhelas: I think it would be good to have a private list for subscription maintenance and a public list which is a subset of that

I always wonder if PAM couldn't be designed transparent using standard xep60 <subscription/>

Flow, yeah, like mix does it

jonasw, isn't/wasn't MIX supposed to be using PAM for that?

I don’t think it does

IIRC PAM was a result of Dave's and Kev's persistent groupchat discussion

jonasw: It uses something very like PAM.

Flow: PAM was a Dave thing that I just jumped on because it makes sense for MIX, IIRC.

so if it makes sense, then why isn't MIX using it?

MIX is using the same model, waiting to see if it makes sense to merge into PAM, or keep out.

" In future, the specifications in this section MAY be moved to a separate XEP or it MAY be incorporated into Pubsub Account Management (XEP-0376) [18] (PAM) which follows a similar model. "

When I did the MIX editing, there was nothing I could usefully reference, so MIX includes what it needs.

daniel, regarding your HTTP Upload 0.5 change: As various network components between the HTTP client and server might inject headers of their own, it feels wrong to me to impose a MUST on what headers clients are allowed to add. It implies that this defines the set of headers that the server receives. I suggest dropping the client requirement (as it's not really enforceable), and instead stress on a need for the server to ignore headers other than the allowed set.

Guus, did you follow the can-of-worms discussion this was in the last few days :)

the argument is that the server could exploit the client to send a request to a third party, for example your home router

(essentially use the client as an HTTP proxy into the clients LAN)

Sounds useful.

to reduce the impact of that, the selection of headers was restricted; even though it’s not entirely clear to me how that helps in that scenario, really.

what jonasw said

but Ge0rG kinda insisted on it

jonasw, I didn't follow that discussion, no.

Ough

I'm also not understanding the argument.

Bottomless can-of-worms?

Guus, essentially, it’s something along the lines of the Same Origin Policy enforced by browsers and the Cross-Origin Request Sharing policies

jonasw: Double infinite bottomless can-of-worms?

We can't fix web security, we can only restrict how much we are affected by it

Guus: I don't not fully understand the argument either. But I'm not bothered by it and it won't go through council w/o that change

I'm not seeing how the client being prohibited to send certain headers prevents the server from sending anything it wants, abusive or not.

And I didn't even put headers into my original http upload

Guus: with arbitrary headers you will make the xmpp client a reverse proxy for malicious xmpp servers.

Or let me rephrase that. I understand the problem (broken http interfaces in your local network). I'm not sure that limiting the headers does anything to fix your china router

can you spell out that attack vector for me Ge0rG?

(or point me to an archive?)

Guus: have a look at http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html#host please

Ge0rG: Isn't large parts of that article about playing with the request URI and the Host header? Which we place no restrictions on at all in XEP-0363?

How does the client not sending certain headers outwards prevent the server from crafting malicious requests inwards?

Guus: The reasoning is preventing your XMPP server from crafting malicious HTTP PUT requests performed by your client.

Guus, hmm? It does not. But it's about the client performing requests

And those requests are handled by your (broken) home router

right, now I get it.

Thanks. I retract my earlier request to change the text :)

(it was initially unclear to me that the text restricts only the headers-to-be-copied-from-the-server-instructions)

I get the idea too, I just still don't agree with imposing an arbitrary restriction due to a diffuse feeling this might reduce the impact on an attack performed by your trusted XMPP service we have not yet understood. But meh.

<lunch>

I'd like to know if it's possible to "rename" a pubsub node

would be really useful, especially when you have namespaces bump

edhelas: Won't the namespace usually only be bumped if the node contents change in some way?

well sometime you have clients that are developping features with their own namespace

then it get standardized

like for OMEMO and Conversations

precisely the reason why the X-* antipattern was deprecated in the IETF

Just wait for Ge0rG to find out that you can use jingle to port scan your contacts network 😂

Or have your contact scan other networks

But we'll just grab the low hanging fruit before we get to the fancy stuff

daniel: don't make me change my mind on Jingle Ft!

Idk. I vetoed it anyway

Not for that particular reason though

daniel: ah, right. outstanding feedback

but now i want to write a jingle portscanner. you could even distribute this among your contacts

Hehe I was thinking about Jingle exploits as well.

daniel, build a webrtc portscanner. that should be much more impactful :)

Or SI/SOCKS5.

https://medium.com/hownetworks/how-did-i-turn-my-browser-into-a-port-scanner-tricksy-but-doable-c37db85f9adc

well, SOCKS5 is a proxy protocol. it is meant to be a proxy and open connections, people will probably have put the appropriate security measures on it to prevent abuse

Also https://github.com/beefproject/beef/wiki/Module:-Port-Scanner

jonasw: probably.

jonasw: Wenn but I meant abusing the SOCKS5 client as a proxy in the Ge0rG sense.

oh;

how does one trick a socks5 client into doing that?

jonasw: The server could send the client SI/Jingle initiation requests?

I’m probably not familiar how things work here

The nice thing is that the server could do so actively, rather than waiting for the client to request upload slots.

Holger, clients might not (auto) accept that though

Yes it will probably fail because they only support a different Jingle revision anyway.

:-)

Hiding/obfuscation of your nickname on your (re)application is an unhelpful thing.

yet, not new.

Not new, but that doesn't mean we shouldn't mention it when it happens, nor that we should consider whether we'd even want that.

Wasn't it Steve Jobs who didn't want his car to be identifiiable, and utilizing a legislation loophole where he could drive with a car without a number plate - thus making the car immediately stand out as his, as he was the only one doing that?

I'm not intimately familiar with the car collections of tech CEOs.

I always considered N********** to be a playful act.

https://thenextweb.com/apple/2011/10/27/mystery-solved-why-steve-jobs-car-never-had-a-license-plate/

Amusing :)

I don’t even know who that N****+ is

or what?

Go down the occupants list of this room, and you'll figure it out :)

Guus, unless I’m stupid, there’s none whose nickname length macthes

there’s a letter missing I think

two levels of obfuscation!

I didn't count, but rough comparison will do :)

French... N***... It's Nÿco, right?

this is discussion is exhausting

my brain autocompletes "N****" like "the N word" and this is all very inappropriate

Dave Cridland: there's another French N

I like how nobody wants to invoke Neu stradamus

:D

https://listarchives.libreoffice.org/global/projects/msg02257.html

Wait Seve you are soul?

yes he is

Ah ok was confused, I hate name changes :)

That email has the best quote ever

In Finland we have a saying for this sort of process: climbing a tree butt-first.

I went to a Lua meet-up at FOSDEM, and at the end someone asked how the Lua community stayed in touch. "Maybe we should use Telegram?" - I broke down on the spot

moparisthebest, yeah, decided to change my name here. It felt weird to me to say 'I'm SouL' in person at FOSDEM hah

I discovered that email because I've been reading all KDE emails regarding their migration from IRC to something else

Seve: ah ah

Seve: try saying hi I'm moparisthebest

I solve that by just never meeting people in real life lol

I still haven’t come up with a way of saying my nick in english non-awkwardly

Also once I had to say lighttpd out loud in person

Rough if you hadn't considered it before

MattJ: did you chew them a new one lol

or maybe: "acuraisthebestbutonlythensxandoldpreludes"

I only like American, no replacement for displacement

MattJ, did you tell them: 'Do you know who are you talking with!?' Sad to hear that, though.

It wasn't a great comparison… I was trying to think of other car companies that had something like mopar, but I think the others named divisions all actually make cars

SamWhited: GM is the analogy I always use

General Motors

Do they have a named division or something like that?

(what do you even call that?)

Like GM is to Chevrolet, GMC, Buick, Pontiac, Cadillac as Mopar is to Chrysler, Dodge, Jeep, Plymouth

GM is just the parent company of those brands though, isn't it? Mopar just sells parts for Fiat and Chryslers and builds the occasional rally car

GM is to Chevrolet as Fiat is to Jeep or something like that

Maybe technically but those cars are just collectivity called mopars

ah, okay

And they share plants and engines and such

The big yearly meet drag race and car show is called the Mopar Nationals etc

GM is to Chevrolet as Fiat is to Mopar then

This is an important classification to get correct in this chat room, obviously.

Haha so abarth and Chrysler/jeep/Dodge are all seemed by Fiat now looks like

I think Fiat and Chrysler merged, and Chrysler owned Jeep and maybe Dodge? I can never keep it straight.

Well again business wise maybe, but I'd just call them GM vehicles

Well it changes yearly I think

Huh, apparently fiat owns Alfa Romeo too, I didn't realize that

And Lancia, weird. Wish they'd bring them back.

Let me know when it loops back around to XMPP, good luck

We were talking about this at work yesterday actually… wikipedia races where each person starts on a random topic and has to get to a different topic only by clicking links on the page. Shortest path wins.

Fiat to XMPP would be a good one

That would be fun to program