anyone have a good suggestion how to validate that a listing of a service in disco#items is actually intended by the listed service?
I’m asking in the context of muclumbus/search: it is easy for an adversary to list a service in their disco#items which is accessible via s2s, but which doesn’t want to be listed. For example, if someone wanted to host a "hidden" IRC gateway and someone else noted that, someone else could add it to their disco#items and thus un-hide it.
intosihas joined
tuxhas joined
Kevhas left
winfriedhas left
winfriedhas joined
intosihas left
intosihas joined
labdsfhas joined
marchas joined
Zashhas left
Alexhas joined
dedekinhas left
Alexhas left
Zashhas joined
labdsfhas left
labdsfhas joined
dedekinhas joined
dedekinhas left
dedekinhas joined
intosihas left
intosihas joined
marchas left
UsLhas left
UsLhas joined
alacerhas joined
alacerhas left
Kevhas left
alacerhas joined
Alexhas left
mimi89999has left
Yagizahas left
Yagizahas joined
flow
jonas’, you could possibly filter out items with an xmpp address not being a "child" address of the requested entity
intosihas joined
intosihas joined
winfriedhas joined
intosihas left
intosihas joined
jonas’
flow, how would one determine that?
jonas’
DNS-based? :/
flow
xmpp address based?
flow
and this means domainpart based
flow
but maybe I misunderstand the question
flow
and, yes, this becomes likely infeasiable if the domainpart is an IP address
flow
but if you example.org announce muc.foo.org, then I'd filter it
jonas’
right, so DNS based
jonas’
it should be zone based though, and that’s tricky to do
jonas’
and many not even be generally correct.
jonas’
*sigh*
Kevhas left
Kevhas left
flow
zone based?
intosihas joined
intosihas joined
jonas’
you need to take into account authority breaks in DNS, i.e. delegations
flow
jonas’, I'm curious, has this turned out to be a practical problem? Did someone complain?
jonas’
co.uk. should not be allowed to advertise stuff for fnord.co.uk ;-)
jonas’
no, nobody complained yet, but I’d like to play it safe with resources like IRC gateways
jonas’
which are easy to abuse
jonas’
or may be easy to abuse
jonas’
or something
jonas’
pep. pre-emptively complained when I threw the idea of listing IRC gateways around in some MUC
flow
jonas’, I'm not sure about this, isn't the parent domain is always able to redirect your users?
winfriedhas joined
jonas’
flow, with an attack on DNS, yes.
jonas’
with an attack on DNS, you can do a lot of things
flow
jonas’, no
flow
just because it's your parent domain
flow
you have to trust it anyways
jonas’
I’d count "replace NS records with something I don’t intend them to be" as an attack :)
jonas’
even if they have the power to do so by design
flow
so you trust them to not do that, but you don't trust them to announce your services?
flow
bbl, SIGFOOD
jonas’
I think my preferred way would be to require the child-components disco#items to also include the parent-service, but that’s probably infeasible.
jonas’
gl
vanitasvitaehas left
vanitasvitaehas joined
alexdehas joined
thorstenhas joined
dedekinhas left
dedekinhas joined
pep.
jonas’, really I shouldn't have to wait that you start listing them to filter traffic if I don't want people to use it, but you're the force pushing me to atm :P
intosihas joined
intosihas joined
pep.
I know my gateway is not used by anybody I don't want to, for the moment
j.rhas left
j.rhas joined
ji-efhas joined
alacerhas left
efrithas joined
flow
pep., if you don't want your gateway to be used by other entities on the network it surely provides an options to restrict its usage to local users only?
intosihas joined
intosihas joined
Steve Killehas joined
pep.
flow, I want _some_ s2s users to be able to use it, so mod_firewall, plus additional tricks for disco#items maybe
flow
pep., allright, so whiteliste the entities that are allowed to use it. Doesn't that solve the problem?
pep.
probably, I just need to do it. I didn't need to until now
flow
(And I know that whitelisting can be tricky, depending on the used software. But hiding isn't a solution either)
flow
pep., I'd argue that you needed to do it before too
Valerianhas left
Valerianhas joined
pep.
Well I've been somewhat monitoring access to that and it's not being abused
pep.
But yeah I agree
flow
pep., that could change now, especially since you mentioned publicly that you run an open gateway :-P
flow
I think it is askin to running an open mail relay
Valerianhas left
pep.
I know
flow
*akin
pep.
I don't especially agree with the open mail relay thing
pep.
It's not like I was running an open j2j gateway
pep.
You could want to run an open IRC gateway, and some services do already
pep.
(And eventually I may open that gateway as well)
intosihas joined
Valerianhas joined
Valerianhas left
UsLhas joined
dedekinhas left
dedekinhas joined
matlaghas left
matlaghas joined
Zashhas left
efrithas left
Zashhas left
jonas’
pep., I have a set of mod_firewall rules which do that (allow all local users + s2s whitelist)
intosihas joined
intosihas joined
pep.
jonas’, yeah, working on it
jonas’
pep.,
%LIST whitelist: file:/etc/prosody/fw/data/biboumi-whitelist.txt
%ZONE biboumi: irc.zombofant.net
::deliver
ENTERING: biboumi
ENTERING: $local
NOT CHECK LIST: whitelist contains $<@from|bare>
LOG=[debug] dropping inbound message to biboumi from $<@from|bare>
BOUNCE=forbidden (You are not allowed to access this host.)
::deliver_remote
LEAVING: biboumi
NOT TYPE: error
NOT CHECK LIST: whitelist contains $<@to|bare>
LOG=[debug] dropping outbound message from biboumi to $<@to|bare>
BOUNCE=forbidden (The destination is not authorized to access this host.)
intosihas left
intosihas joined
Valerianhas joined
ji-efhas left
UsLhas joined
Link Mauvehas joined
Steve Killehas left
tuxhas left
UsLhas joined
intosihas left
intosihas joined
Zashhas left
tahas left
intosihas left
intosihas joined
ThibGhas left
ThibGhas joined
guusdkhas left
guusdkhas joined
guusdkhas left
guusdkhas joined
guusdkhas left
guusdkhas joined
dedekinhas left
jjrhhas left
jjrhhas joined
lnjhas left
lnjhas joined
Alexhas joined
guusdkhas left
guusdkhas joined
guusdkhas left
guusdkhas joined
dedekinhas joined
pep.has left
guusdkhas left
lumihas joined
genofirehas joined
jjrhhas left
jjrhhas joined
guusdkhas left
guusdkhas joined
Steve Killehas left
Steve Killehas joined
edhelashas joined
intosihas left
intosihas joined
Holgerhas left
intosihas left
intosihas joined
!xsf_martinhas joined
Steve Killehas left
jjrhhas left
jjrhhas joined
jjrhhas left
jjrhhas joined
mightyBroccolihas left
mightyBroccolihas joined
matlaghas left
matlaghas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
intosihas left
intosihas joined
mimi89999has left
Andrew Nenakhovhas joined
intosihas left
intosihas joined
intosihas joined
intosihas joined
lhas joined
Steve Killehas joined
rionhas left
intosihas joined
nycohas joined
nycohas left
pep.has left
pep.has left
pep.has joined
lskdjfhas joined
pep.has left
pep.has left
andyhas left
Steve Killehas left
matlaghas left
lhas left
lhas joined
matlaghas joined
intosihas left
intosihas joined
pep.has left
Marandahas joined
marchas joined
labdsfhas left
matlaghas left
matlaghas joined
labdsfhas joined
intosihas left
intosihas joined
rionhas left
rionhas left
!xsf_martinhas left
!xsf_martinhas joined
Valerianhas left
efrithas joined
dwdhas left
matlaghas left
matlaghas joined
efrithas left
efrithas joined
alacerhas joined
Steve Killehas joined
alacerhas left
lhas joined
lhas joined
intosihas left
intosihas joined
UsLhas left
UsLhas joined
Guushas left
intosihas left
intosihas joined
efrithas left
rionhas left
rionhas left
matlaghas left
matlaghas joined
Alexhas left
waqashas left
matlaghas left
jjrhhas left
jjrhhas joined
matlaghas joined
Alexhas joined
Alexhas left
genofirehas left
jjrhhas left
jjrhhas joined
jjrhhas left
jjrhhas joined
rionhas left
vanitasvitaehas left
intosihas left
intosihas joined
lskdjfhas joined
jjrhhas left
jjrhhas joined
peterhas joined
jjrhhas left
jjrhhas joined
genofirehas joined
intosihas left
intosihas joined
tahas joined
j.rhas left
moparisthebesthas left
moparisthebesthas joined
j.rhas joined
Nekithas left
Nekithas joined
intosihas left
intosihas joined
jjrhhas left
jjrhhas joined
jjrhhas left
jjrhhas joined
jjrhhas left
jjrhhas joined
matlaghas left
matlaghas joined
jjrhhas left
jjrhhas joined
ralphmhas left
ralphmhas joined
Andrew Nenakhovhas left
Steve Killehas left
ji-efhas joined
matlaghas left
matlaghas joined
waqashas joined
blablahas left
danielhas joined
matlaghas left
matlaghas joined
Zashhas left
intosihas joined
intosihas joined
moparisthebesthas joined
intosihas left
intosihas joined
moparisthebesthas joined
lorddavidiiihas joined
lskdjfhas joined
karphas joined
!xsf_martinhas left
guusdkhas left
guusdkhas joined
guusdkhas left
guusdkhas joined
lhas left
lhas joined
jonas’
hm, maybe it would make sense to require publicly listed gateways to publish contact information.
labdsfhas left
!xsf_martinhas joined
Steve Killehas joined
tahas left
tahas joined
Valerianhas joined
404.cityhas joined
moparisthebesthas left
moparisthebesthas joined
danielhas left
danielhas joined
Guushas left
!xsf_martinhas joined
marchas left
SamWhitedhas left
!xsf_martinhas joined
alexdehas left
alexdehas joined
jerehas joined
ThibGhas left
ThibGhas joined
!xsf_martinhas left
lskdjfhas joined
dedekinhas left
lhas left
lhas joined
jerehas left
jerehas joined
dedekinhas joined
Alexhas joined
Alexhas left
thorstenhas left
jerehas left
ThibGhas left
ThibGhas joined
matlaghas left
matlaghas joined
intosihas joined
intosihas joined
intosihas left
intosihas joined
Alexhas left
lnjhas left
Valerianhas left
Valerianhas joined
Valerianhas left
jonas’
hrm, so there’s no way to detect MIXness of a group chat service from the identity alone?
danielhas left
intosihas joined
intosihas joined
labdsfhas joined
Guushas left
danielhas joined
flow
jonas’, I think this is by design (but could be wrong)
intosihas joined
intosihas joined
mrdoctorwhohas joined
alexdehas left
alexdehas joined
mrdoctorwhohas joined
blablahas left
Steve Killehas left
Guushas left
edhelashas left
edhelashas joined
intosihas joined
intosihas joined
Ge0rG
> hm, maybe it would make sense to require publicly listed gateways to publish contact information.
jonas’: Contact Addresses would fit, but it must be in a server info dataform
jonas’
Ge0rG, I’m confused
jonas’
that’s exactly what I was talking about?
jonas’
but you make it sound like it would be a problem
matlaghas left
matlaghas joined
alexdehas left
alexdehas joined
waqashas left
Ge0rG
I'm not a disco specialist, do components come with a http://jabber.org/network/serverinfo record by default?
jonas’
what is that?
Zash
xep 157 ?
jonas’
ah, that
jonas’
right
jonas’
Ge0rG, probably not, but they should
Ge0rG
How many data forms can you fit into one query result?
Zash
Ge0rG: unbounded
jonas’
Ge0rG, given that conference.jabber.org returns ALL the rooms in a single disco#items, I think we’re good.
jonas’
(and I think you can see when muclumbus queries conference.jabber.org in the traffic graphs because it creates a fun spike)
Ge0rG
Zash: speaking of real life implementations.
jonas’
(and then it discards the result due to malformed JIDs *shrug*)
Zash
this kills the terminal
Zash
Ge0rG: You can have more than one dataform, like you can have more than one identity and more than one feature
Zash
I think I've seen at most two forms
Zash
... maybe I did that myself tho, not sure
Ge0rG
Zash: I've had a look into how poezio processes such a response. I vaguely kept my sanity.