XSF Discussion - 2018-10-15


  1. moparisthebest

    jonas’: unless/until Cisco takes it away haha

  2. jonas’

    anyone have a good suggestion how to validate that a listing of a service in disco#items is actually intended by the listed service? I’m asking in the context of muclumbus/search: it is easy for an adversary to list a service in their disco#items which is accessible via s2s, but which doesn’t want to be listed. For example, if someone wanted to host a "hidden" IRC gateway and someone else noted that, someone else could add it to their disco#items and thus un-hide it.

  3. flow

    jonas’, you could possibly filter out items with an xmpp address not being a "child" address of the requested entity

  4. jonas’

    flow, how would one determine that?

  5. jonas’

    DNS-based? :/

  6. flow

    xmpp address based?

  7. flow

    and this means domainpart based

  8. flow

    but maybe I misunderstand the question

  9. flow

    and, yes, this becomes likely infeasiable if the domainpart is an IP address

  10. flow

    but if you example.org announce muc.foo.org, then I'd filter it

  11. jonas’

    right, so DNS based

  12. jonas’

    it should be zone based though, and that’s tricky to do

  13. jonas’

    and many not even be generally correct.

  14. jonas’

    *sigh*

  15. flow

    zone based?

  16. jonas’

    you need to take into account authority breaks in DNS, i.e. delegations

  17. flow

    jonas’, I'm curious, has this turned out to be a practical problem? Did someone complain?

  18. jonas’

    co.uk. should not be allowed to advertise stuff for fnord.co.uk ;-)

  19. jonas’

    no, nobody complained yet, but I’d like to play it safe with resources like IRC gateways

  20. jonas’

    which are easy to abuse

  21. jonas’

    or may be easy to abuse

  22. jonas’

    or something

  23. jonas’

    pep. pre-emptively complained when I threw the idea of listing IRC gateways around in some MUC

  24. flow

    jonas’, I'm not sure about this, isn't the parent domain is always able to redirect your users?

  25. jonas’

    flow, with an attack on DNS, yes.

  26. jonas’

    with an attack on DNS, you can do a lot of things

  27. flow

    jonas’, no

  28. flow

    just because it's your parent domain

  29. flow

    you have to trust it anyways

  30. jonas’

    I’d count "replace NS records with something I don’t intend them to be" as an attack :)

  31. jonas’

    even if they have the power to do so by design

  32. flow

    so you trust them to not do that, but you don't trust them to announce your services?

  33. flow

    bbl, SIGFOOD

  34. jonas’

    I think my preferred way would be to require the child-components disco#items to also include the parent-service, but that’s probably infeasible.

  35. jonas’

    gl

  36. pep.

    jonas’, really I shouldn't have to wait that you start listing them to filter traffic if I don't want people to use it, but you're the force pushing me to atm :P

  37. pep.

    I know my gateway is not used by anybody I don't want to, for the moment

  38. flow

    pep., if you don't want your gateway to be used by other entities on the network it surely provides an options to restrict its usage to local users only?

  39. pep.

    flow, I want _some_ s2s users to be able to use it, so mod_firewall, plus additional tricks for disco#items maybe

  40. flow

    pep., allright, so whiteliste the entities that are allowed to use it. Doesn't that solve the problem?

  41. pep.

    probably, I just need to do it. I didn't need to until now

  42. flow

    (And I know that whitelisting can be tricky, depending on the used software. But hiding isn't a solution either)

  43. flow

    pep., I'd argue that you needed to do it before too

  44. pep.

    Well I've been somewhat monitoring access to that and it's not being abused

  45. pep.

    But yeah I agree

  46. flow

    pep., that could change now, especially since you mentioned publicly that you run an open gateway :-P

  47. flow

    I think it is askin to running an open mail relay

  48. pep.

    I know

  49. flow

    *akin

  50. pep.

    I don't especially agree with the open mail relay thing

  51. pep.

    It's not like I was running an open j2j gateway

  52. pep.

    You could want to run an open IRC gateway, and some services do already

  53. pep.

    (And eventually I may open that gateway as well)

  54. jonas’

    pep., I have a set of mod_firewall rules which do that (allow all local users + s2s whitelist)

  55. pep.

    jonas’, yeah, working on it

  56. jonas’

    pep., %LIST whitelist: file:/etc/prosody/fw/data/biboumi-whitelist.txt %ZONE biboumi: irc.zombofant.net ::deliver ENTERING: biboumi ENTERING: $local NOT CHECK LIST: whitelist contains $<@from|bare> LOG=[debug] dropping inbound message to biboumi from $<@from|bare> BOUNCE=forbidden (You are not allowed to access this host.) ::deliver_remote LEAVING: biboumi NOT TYPE: error NOT CHECK LIST: whitelist contains $<@to|bare> LOG=[debug] dropping outbound message from biboumi to $<@to|bare> BOUNCE=forbidden (The destination is not authorized to access this host.)

  57. jonas’

    hm, maybe it would make sense to require publicly listed gateways to publish contact information.

  58. jonas’

    hrm, so there’s no way to detect MIXness of a group chat service from the identity alone?

  59. flow

    jonas’, I think this is by design (but could be wrong)

  60. Ge0rG

    > hm, maybe it would make sense to require publicly listed gateways to publish contact information. jonas’: Contact Addresses would fit, but it must be in a server info dataform

  61. jonas’

    Ge0rG, I’m confused

  62. jonas’

    that’s exactly what I was talking about?

  63. jonas’

    but you make it sound like it would be a problem

  64. Ge0rG

    I'm not a disco specialist, do components come with a http://jabber.org/network/serverinfo record by default?

  65. jonas’

    what is that?

  66. Zash

    xep 157 ?

  67. jonas’

    ah, that

  68. jonas’

    right

  69. jonas’

    Ge0rG, probably not, but they should

  70. Ge0rG

    How many data forms can you fit into one query result?

  71. Zash

    Ge0rG: unbounded

  72. jonas’

    Ge0rG, given that conference.jabber.org returns ALL the rooms in a single disco#items, I think we’re good.

  73. jonas’

    (and I think you can see when muclumbus queries conference.jabber.org in the traffic graphs because it creates a fun spike)

  74. Ge0rG

    Zash: speaking of real life implementations.

  75. jonas’

    (and then it discards the result due to malformed JIDs *shrug*)

  76. Zash

    this kills the terminal

  77. Zash

    Ge0rG: You can have more than one dataform, like you can have more than one identity and more than one feature

  78. Zash

    I think I've seen at most two forms

  79. Zash

    ... maybe I did that myself tho, not sure

  80. Ge0rG

    Zash: I've had a look into how poezio processes such a response. I vaguely kept my sanity.

  81. jonas’

    Ge0rG, https://lab.louiz.org/louiz/biboumi/issues/3388 ;-)

  82. Ge0rG

    jonas’: 👍

  83. Zash

    jonas’: I was about to open an issue in biboumi for 157 but was distracted and now someone already did it

  84. jonas’

    "someone" :)

  85. Zash

    SOMEONE

  86. Zash

    Hm, do MUCs commonly have 157?

  87. Ge0rG

    Zash: I can't imagine. Should they?

  88. Zash

    Why not?

  89. jonas’

    Ge0rG, a contact for an admin when you’re facing an attack in one of your room seems useful

  90. Maranda

    They could..

  91. Maranda

    I honestly never put contact info on components

  92. Ge0rG

    jonas’: on the MUC domain? Sure, would be good

  93. Maranda

    (as long as you dont service the muc alone)

  94. Maranda

    (i suppose ppl will look at the upper level domain info)

  95. jonas’

    that’s not a good thing to do automatedly though

  96. pep.

    I have that server_contact loaded on every single vhost/component fwiw

  97. Maranda

    I have it integrated in mod_disco but not every component will use it so (also external components wont at all) it can be tricky for those anyways