XSF Discussion - 2018-10-15

  1. blabla has left

  2. dedekin has joined

  3. vanitasvitae has left

  4. j.r has joined

  5. j.r has joined

  6. moparisthebest has left

  7. moparisthebest has joined

  8. lskdjf has joined

  9. efrit has left

  10. guusdk has left

  11. Guus has left

  12. Guus has joined

  13. guusdk has joined

  14. lskdjf has joined

  15. SamWhited has left

  16. Steve Kille has left

  17. lskdjf has joined

  18. lskdjf has joined

  19. moparisthebest

    jonas’: unless/until Cisco takes it away haha

  20. intosi has joined

  21. intosi has joined

  22. daniel has joined

  23. andrey.g has left

  24. andrey.g has joined

  25. intosi has left

  26. intosi has joined

  27. intosi has left

  28. intosi has joined

  29. mrdoctorwho has joined

  30. mrdoctorwho has joined

  31. ta has joined

  32. Yagiza has joined

  33. mrdoctorwho has left

  34. mrdoctorwho has joined

  35. daniel has left

  36. daniel has joined

  37. daniel has left

  38. daniel has joined

  39. lorddavidiii has joined

  40. lumi has joined

  41. lskdjf has joined

  42. mimi89999 has left

  43. ta has left

  44. lumi has left

  45. alacer has joined

  46. Nekit has joined

  47. l has left

  48. l has joined

  49. moparisthebest has joined

  50. lskdjf has left

  51. lskdjf has joined

  52. alacer has left

  53. lskdjf has joined

  54. SamWhited has left

  55. lovetox has joined

  56. Valerian has joined

  57. daniel has left

  58. daniel has joined

  59. Valerian has left

  60. Valerian has joined

  61. Maranda has left

  62. Valerian has joined

  63. Maranda has joined

  64. Valerian has joined

  65. Valerian has left

  66. Valerian has joined

  67. daniel has left

  68. lovetox has left

  69. lovetox has joined

  70. lovetox has left

  71. lovetox has joined

  72. lorddavidiii has left

  73. lovetox has left

  74. lovetox has joined

  75. lovetox has left

  76. lovetox has joined

  77. lovetox has left

  78. lovetox has joined

  79. lovetox has left

  80. moparisthebest has left

  81. moparisthebest has joined

  82. intosi has left

  83. intosi has joined

  84. Valerian has left

  85. intosi has left

  86. intosi has joined

  87. lnj has joined

  88. andy has joined

  89. andy has left

  90. andy has joined

  91. Valerian has joined

  92. Valerian has left

  93. lnj has left

  94. lnj has joined

  95. Nekit has left

  96. lnj has left

  97. lnj has joined

  98. labdsf has left

  99. l has joined

  100. Valerian has joined

  101. Nekit has joined

  102. thorsten has left

  103. Zash has left

  104. intosi has left

  105. intosi has joined

  106. Nekit has left

  107. Nekit has joined

  108. intosi has left

  109. intosi has joined

  110. guusdk has left

  111. guusdk has joined

  112. Tobias has joined

  113. Tobias has joined

  114. guusdk has left

  115. guusdk has joined

  116. Zash has left

  117. intosi has left

  118. intosi has joined

  119. Zash has joined

  120. jonas’

    anyone have a good suggestion how to validate that a listing of a service in disco#items is actually intended by the listed service? I’m asking in the context of muclumbus/search: it is easy for an adversary to list a service in their disco#items which is accessible via s2s, but which doesn’t want to be listed. For example, if someone wanted to host a "hidden" IRC gateway and someone else noted that, someone else could add it to their disco#items and thus un-hide it.

  121. intosi has joined

  122. tux has joined

  123. Kev has left

  124. winfried has left

  125. winfried has joined

  126. intosi has left

  127. intosi has joined

  128. labdsf has joined

  129. marc has joined

  130. Zash has left

  131. Alex has joined

  132. dedekin has left

  133. Alex has left

  134. Zash has joined

  135. labdsf has left

  136. labdsf has joined

  137. dedekin has joined

  138. dedekin has left

  139. dedekin has joined

  140. intosi has left

  141. intosi has joined

  142. marc has left

  143. UsL has left

  144. UsL has joined

  145. alacer has joined

  146. alacer has left

  147. Kev has left

  148. alacer has joined

  149. Alex has left

  150. mimi89999 has left

  151. Yagiza has left

  152. Yagiza has joined

  153. flow

    jonas’, you could possibly filter out items with an xmpp address not being a "child" address of the requested entity

  154. intosi has joined

  155. intosi has joined

  156. winfried has joined

  157. intosi has left

  158. intosi has joined

  159. jonas’

    flow, how would one determine that?

  160. jonas’

    DNS-based? :/

  161. flow

    xmpp address based?

  162. flow

    and this means domainpart based

  163. flow

    but maybe I misunderstand the question

  164. flow

    and, yes, this becomes likely infeasiable if the domainpart is an IP address

  165. flow

    but if you example.org announce muc.foo.org, then I'd filter it

  166. jonas’

    right, so DNS based

  167. jonas’

    it should be zone based though, and that’s tricky to do

  168. jonas’

    and many not even be generally correct.

  169. jonas’


  170. Kev has left

  171. Kev has left

  172. flow

    zone based?

  173. intosi has joined

  174. intosi has joined

  175. jonas’

    you need to take into account authority breaks in DNS, i.e. delegations

  176. flow

    jonas’, I'm curious, has this turned out to be a practical problem? Did someone complain?

  177. jonas’

    co.uk. should not be allowed to advertise stuff for fnord.co.uk ;-)

  178. jonas’

    no, nobody complained yet, but I’d like to play it safe with resources like IRC gateways

  179. jonas’

    which are easy to abuse

  180. jonas’

    or may be easy to abuse

  181. jonas’

    or something

  182. jonas’

    pep. pre-emptively complained when I threw the idea of listing IRC gateways around in some MUC

  183. flow

    jonas’, I'm not sure about this, isn't the parent domain is always able to redirect your users?

  184. winfried has joined

  185. jonas’

    flow, with an attack on DNS, yes.

  186. jonas’

    with an attack on DNS, you can do a lot of things

  187. flow

    jonas’, no

  188. flow

    just because it's your parent domain

  189. flow

    you have to trust it anyways

  190. jonas’

    I’d count "replace NS records with something I don’t intend them to be" as an attack :)

  191. jonas’

    even if they have the power to do so by design

  192. flow

    so you trust them to not do that, but you don't trust them to announce your services?

  193. flow

    bbl, SIGFOOD

  194. jonas’

    I think my preferred way would be to require the child-components disco#items to also include the parent-service, but that’s probably infeasible.

  195. jonas’


  196. vanitasvitae has left

  197. vanitasvitae has joined

  198. alexde has joined

  199. thorsten has joined

  200. dedekin has left

  201. dedekin has joined

  202. pep.

    jonas’, really I shouldn't have to wait that you start listing them to filter traffic if I don't want people to use it, but you're the force pushing me to atm :P

  203. intosi has joined

  204. intosi has joined

  205. pep.

    I know my gateway is not used by anybody I don't want to, for the moment

  206. j.r has left

  207. j.r has joined

  208. ji-ef has joined

  209. alacer has left

  210. efrit has joined

  211. flow

    pep., if you don't want your gateway to be used by other entities on the network it surely provides an options to restrict its usage to local users only?

  212. intosi has joined

  213. intosi has joined

  214. Steve Kille has joined

  215. pep.

    flow, I want _some_ s2s users to be able to use it, so mod_firewall, plus additional tricks for disco#items maybe

  216. flow

    pep., allright, so whiteliste the entities that are allowed to use it. Doesn't that solve the problem?

  217. pep.

    probably, I just need to do it. I didn't need to until now

  218. flow

    (And I know that whitelisting can be tricky, depending on the used software. But hiding isn't a solution either)

  219. flow

    pep., I'd argue that you needed to do it before too

  220. Valerian has left

  221. Valerian has joined

  222. pep.

    Well I've been somewhat monitoring access to that and it's not being abused

  223. pep.

    But yeah I agree

  224. flow

    pep., that could change now, especially since you mentioned publicly that you run an open gateway :-P

  225. flow

    I think it is askin to running an open mail relay

  226. Valerian has left

  227. pep.

    I know

  228. flow


  229. pep.

    I don't especially agree with the open mail relay thing

  230. pep.

    It's not like I was running an open j2j gateway

  231. pep.

    You could want to run an open IRC gateway, and some services do already

  232. pep.

    (And eventually I may open that gateway as well)

  233. intosi has joined

  234. Valerian has joined

  235. Valerian has left

  236. UsL has joined

  237. dedekin has left

  238. dedekin has joined

  239. matlag has left

  240. matlag has joined

  241. Zash has left

  242. efrit has left

  243. Zash has left

  244. jonas’

    pep., I have a set of mod_firewall rules which do that (allow all local users + s2s whitelist)

  245. intosi has joined

  246. intosi has joined

  247. pep.

    jonas’, yeah, working on it

  248. jonas’

    pep., %LIST whitelist: file:/etc/prosody/fw/data/biboumi-whitelist.txt %ZONE biboumi: irc.zombofant.net ::deliver ENTERING: biboumi ENTERING: $local NOT CHECK LIST: whitelist contains $<@from|bare> LOG=[debug] dropping inbound message to biboumi from $<@from|bare> BOUNCE=forbidden (You are not allowed to access this host.) ::deliver_remote LEAVING: biboumi NOT TYPE: error NOT CHECK LIST: whitelist contains $<@to|bare> LOG=[debug] dropping outbound message from biboumi to $<@to|bare> BOUNCE=forbidden (The destination is not authorized to access this host.)

  249. intosi has left

  250. intosi has joined

  251. Valerian has joined

  252. ji-ef has left

  253. UsL has joined

  254. Link Mauve has joined

  255. Steve Kille has left

  256. tux has left

  257. UsL has joined

  258. intosi has left

  259. intosi has joined

  260. Zash has left

  261. ta has left

  262. intosi has left

  263. intosi has joined

  264. ThibG has left

  265. ThibG has joined

  266. guusdk has left

  267. guusdk has joined

  268. guusdk has left

  269. guusdk has joined

  270. guusdk has left

  271. guusdk has joined

  272. dedekin has left

  273. jjrh has left

  274. jjrh has joined

  275. lnj has left

  276. lnj has joined

  277. Alex has joined

  278. guusdk has left

  279. guusdk has joined

  280. guusdk has left

  281. guusdk has joined

  282. dedekin has joined

  283. pep. has left

  284. guusdk has left

  285. lumi has joined

  286. genofire has joined

  287. jjrh has left

  288. jjrh has joined

  289. guusdk has left

  290. guusdk has joined

  291. Steve Kille has left

  292. Steve Kille has joined

  293. edhelas has joined

  294. intosi has left

  295. intosi has joined

  296. Holger has left

  297. intosi has left

  298. intosi has joined

  299. !xsf_martin has joined

  300. Steve Kille has left

  301. jjrh has left

  302. jjrh has joined

  303. jjrh has left

  304. jjrh has joined

  305. mightyBroccoli has left

  306. mightyBroccoli has joined

  307. matlag has left

  308. matlag has joined

  309. Andrew Nenakhov has left

  310. Andrew Nenakhov has joined

  311. intosi has left

  312. intosi has joined

  313. mimi89999 has left

  314. Andrew Nenakhov has joined

  315. intosi has left

  316. intosi has joined

  317. intosi has joined

  318. intosi has joined

  319. l has joined

  320. Steve Kille has joined

  321. rion has left

  322. intosi has joined

  323. nyco has joined

  324. nyco has left

  325. pep. has left

  326. pep. has left

  327. pep. has joined

  328. lskdjf has joined

  329. pep. has left

  330. pep. has left

  331. andy has left

  332. Steve Kille has left

  333. matlag has left

  334. l has left

  335. l has joined

  336. matlag has joined

  337. intosi has left

  338. intosi has joined

  339. pep. has left

  340. Maranda has joined

  341. marc has joined

  342. labdsf has left

  343. matlag has left

  344. matlag has joined

  345. labdsf has joined

  346. intosi has left

  347. intosi has joined

  348. rion has left

  349. rion has left

  350. !xsf_martin has left

  351. !xsf_martin has joined

  352. Valerian has left

  353. efrit has joined

  354. dwd has left

  355. matlag has left

  356. matlag has joined

  357. efrit has left

  358. efrit has joined

  359. alacer has joined

  360. Steve Kille has joined

  361. alacer has left

  362. l has joined

  363. l has joined

  364. intosi has left

  365. intosi has joined

  366. UsL has left

  367. UsL has joined

  368. Guus has left

  369. intosi has left

  370. intosi has joined

  371. efrit has left

  372. rion has left

  373. rion has left

  374. matlag has left

  375. matlag has joined

  376. Alex has left

  377. waqas has left

  378. matlag has left

  379. jjrh has left

  380. jjrh has joined

  381. matlag has joined

  382. Alex has joined

  383. Alex has left

  384. genofire has left

  385. jjrh has left

  386. jjrh has joined

  387. jjrh has left

  388. jjrh has joined

  389. rion has left

  390. vanitasvitae has left

  391. intosi has left

  392. intosi has joined

  393. lskdjf has joined

  394. jjrh has left

  395. jjrh has joined

  396. peter has joined

  397. jjrh has left

  398. jjrh has joined

  399. genofire has joined

  400. intosi has left

  401. intosi has joined

  402. ta has joined

  403. j.r has left

  404. moparisthebest has left

  405. moparisthebest has joined

  406. j.r has joined

  407. Nekit has left

  408. Nekit has joined

  409. intosi has left

  410. intosi has joined

  411. jjrh has left

  412. jjrh has joined

  413. jjrh has left

  414. jjrh has joined

  415. jjrh has left

  416. jjrh has joined

  417. matlag has left

  418. matlag has joined

  419. jjrh has left

  420. jjrh has joined

  421. ralphm has left

  422. ralphm has joined

  423. Andrew Nenakhov has left

  424. Steve Kille has left

  425. ji-ef has joined

  426. matlag has left

  427. matlag has joined

  428. waqas has joined

  429. blabla has left

  430. daniel has joined

  431. matlag has left

  432. matlag has joined

  433. Zash has left

  434. intosi has joined

  435. intosi has joined

  436. moparisthebest has joined

  437. intosi has left

  438. intosi has joined

  439. moparisthebest has joined

  440. lorddavidiii has joined

  441. lskdjf has joined

  442. karp has joined

  443. !xsf_martin has left

  444. guusdk has left

  445. guusdk has joined

  446. guusdk has left

  447. guusdk has joined

  448. l has left

  449. l has joined

  450. jonas’

    hm, maybe it would make sense to require publicly listed gateways to publish contact information.

  451. labdsf has left

  452. !xsf_martin has joined

  453. Steve Kille has joined

  454. ta has left

  455. ta has joined

  456. Valerian has joined

  457. 404.city has joined

  458. moparisthebest has left

  459. moparisthebest has joined

  460. daniel has left

  461. daniel has joined

  462. Guus has left

  463. !xsf_martin has joined

  464. marc has left

  465. SamWhited has left

  466. !xsf_martin has joined

  467. alexde has left

  468. alexde has joined

  469. jere has joined

  470. ThibG has left

  471. ThibG has joined

  472. !xsf_martin has left

  473. lskdjf has joined

  474. dedekin has left

  475. l has left

  476. l has joined

  477. jere has left

  478. jere has joined

  479. dedekin has joined

  480. Alex has joined

  481. Alex has left

  482. thorsten has left

  483. jere has left

  484. ThibG has left

  485. ThibG has joined

  486. matlag has left

  487. matlag has joined

  488. intosi has joined

  489. intosi has joined

  490. intosi has left

  491. intosi has joined

  492. Alex has left

  493. lnj has left

  494. Valerian has left

  495. Valerian has joined

  496. Valerian has left

  497. jonas’

    hrm, so there’s no way to detect MIXness of a group chat service from the identity alone?

  498. daniel has left

  499. intosi has joined

  500. intosi has joined

  501. labdsf has joined

  502. Guus has left

  503. daniel has joined

  504. flow

    jonas’, I think this is by design (but could be wrong)

  505. intosi has joined

  506. intosi has joined

  507. mrdoctorwho has joined

  508. alexde has left

  509. alexde has joined

  510. mrdoctorwho has joined

  511. blabla has left

  512. Steve Kille has left

  513. Guus has left

  514. edhelas has left

  515. edhelas has joined

  516. intosi has joined

  517. intosi has joined

  518. Ge0rG

    > hm, maybe it would make sense to require publicly listed gateways to publish contact information. jonas’: Contact Addresses would fit, but it must be in a server info dataform

  519. jonas’

    Ge0rG, I’m confused

  520. jonas’

    that’s exactly what I was talking about?

  521. jonas’

    but you make it sound like it would be a problem

  522. matlag has left

  523. matlag has joined

  524. alexde has left

  525. alexde has joined

  526. waqas has left

  527. Ge0rG

    I'm not a disco specialist, do components come with a http://jabber.org/network/serverinfo record by default?

  528. jonas’

    what is that?

  529. Zash

    xep 157 ?

  530. jonas’

    ah, that

  531. jonas’


  532. jonas’

    Ge0rG, probably not, but they should

  533. Ge0rG

    How many data forms can you fit into one query result?

  534. Zash

    Ge0rG: unbounded

  535. jonas’

    Ge0rG, given that conference.jabber.org returns ALL the rooms in a single disco#items, I think we’re good.

  536. jonas’

    (and I think you can see when muclumbus queries conference.jabber.org in the traffic graphs because it creates a fun spike)

  537. Ge0rG

    Zash: speaking of real life implementations.

  538. jonas’

    (and then it discards the result due to malformed JIDs *shrug*)

  539. Zash

    this kills the terminal

  540. Zash

    Ge0rG: You can have more than one dataform, like you can have more than one identity and more than one feature

  541. Zash

    I think I've seen at most two forms

  542. Zash

    ... maybe I did that myself tho, not sure

  543. Ge0rG

    Zash: I've had a look into how poezio processes such a response. I vaguely kept my sanity.

  544. jonas’

    Ge0rG, https://lab.louiz.org/louiz/biboumi/issues/3388 ;-)

  545. matlag has left

  546. matlag has joined

  547. Ge0rG

    jonas’: 👍

  548. intosi has joined

  549. Steve Kille has joined

  550. Steve Kille has left

  551. Zash

    jonas’: I was about to open an issue in biboumi for 157 but was distracted and now someone already did it

  552. jonas’

    "someone" :)

  553. Zash


  554. blabla has left

  555. ThibG has left

  556. ThibG has joined

  557. l has joined

  558. l has joined

  559. Zash

    Hm, do MUCs commonly have 157?

  560. intosi has joined

  561. Ge0rG

    Zash: I can't imagine. Should they?

  562. Zash

    Why not?

  563. jonas’

    Ge0rG, a contact for an admin when you’re facing an attack in one of your room seems useful

  564. Maranda

    They could..

  565. Maranda

    I honestly never put contact info on components

  566. Ge0rG

    jonas’: on the MUC domain? Sure, would be good

  567. Maranda

    (as long as you dont service the muc alone)

  568. Yagiza has left

  569. Maranda

    (i suppose ppl will look at the upper level domain info)

  570. jonas’

    that’s not a good thing to do automatedly though

  571. pep.

    I have that server_contact loaded on every single vhost/component fwiw

  572. l has joined

  573. l has joined

  574. blabla has left

  575. matlag has left

  576. matlag has joined

  577. matlag has left

  578. matlag has joined

  579. labdsf has left

  580. labdsf has joined

  581. Maranda

    I have it integrated in mod_disco but not every component will use it so (also external components wont at all) it can be tricky for those anyways

  582. intosi has joined

  583. intosi has joined

  584. intosi has left

  585. intosi has joined

  586. intosi has joined

  587. intosi has joined

  588. matlag has left

  589. matlag has joined

  590. valo has left

  591. valo has joined

  592. labdsf has left

  593. labdsf has joined

  594. labdsf has left

  595. labdsf has joined

  596. Steve Kille has left

  597. lorddavidiii has left

  598. jjrh has left

  599. jjrh has joined

  600. jjrh has left

  601. jjrh has joined

  602. intosi has joined

  603. intosi has joined

  604. alexde has left

  605. alexde has joined

  606. matlag has left

  607. matlag has joined

  608. 404.city has left

  609. 404.city has joined

  610. marc has joined

  611. intosi has joined

  612. dedekin has left

  613. jjrh has left

  614. jjrh has joined

  615. jjrh has left

  616. jjrh has joined

  617. 404.city has left

  618. alexde has left

  619. Steve Kille has left

  620. jjrh has left

  621. jjrh has joined

  622. labdsf has left

  623. lnj has left

  624. Steve Kille has joined

  625. ji-ef has joined

  626. SamWhited has left

  627. labdsf has joined

  628. Nekit has joined

  629. Steve Kille has left

  630. Steve Kille has joined

  631. intosi has left

  632. intosi has joined

  633. ThibG has joined

  634. ThibG has joined

  635. Maranda has left

  636. matlag has left

  637. matlag has joined

  638. marc has left

  639. intosi has joined

  640. intosi has joined

  641. lorddavidiii has joined

  642. lnj has left

  643. waqas has joined

  644. lnj has left

  645. js has joined

  646. jjrh has left

  647. jjrh has joined

  648. matlag has left

  649. matlag has joined

  650. lorddavidiii has left

  651. matlag has left

  652. matlag has joined

  653. lumi has left

  654. Zash has left

  655. blabla has left

  656. thorsten has left

  657. thorsten has joined

  658. matlag has left

  659. matlag has joined

  660. matlag has left

  661. matlag has joined

  662. intosi has left

  663. Zash has left

  664. intosi has joined

  665. MattJ has joined

  666. blabla has left

  667. blabla has joined

  668. lskdjf has joined

  669. Alex has joined

  670. Alex has left

  671. peter has left

  672. Andrew Nenakhov has left

  673. Andrew Nenakhov has left

  674. Andrew Nenakhov has joined

  675. Syndace has joined

  676. intosi has left

  677. intosi has joined

  678. peter has joined

  679. UsL has left

  680. lskdjf has joined

  681. lskdjf has joined

  682. matlag has left

  683. matlag has joined