XSF Discussion - 2018-11-05

vanitasvitae: done, should be crawled somewhere in the next 30min

ralphm: nice. Thank you very much :)

is there any reason to use a CSPRNG for stanza @id values?

(if one checks both @from and @id when associating replies)

jonas’: Probably overkill, but why not?

Zash, takes double the time

(when sourced from getrandom())

because syscall?

yeah

(probably)

jonas’: compared to what? and is it a problem?

Zash, compared to the mersenne twister

we’re revisiting how aioxmpp generates stanza IDs

I wonder what the possible attack vector is. Injecting IQ responses ahead of the actual response? By whom?

Unless you have a smack3 level of stanza correlation, where you just run a packet listener based on the packet ID, ignoring the @from

that was my train of thought, too

anyone who would be able to inject a reply is on the path anyways and can observe the @from and the @id

assuming that s2s authentication and routing in servers works as intended

a bold assumption.

so if you can off-path inject stanzas due to broken s2s authentication (but you cannot intercept them entirely), being able to predict stanza IDs would be useful

this could work with broken one-way s2s auth, some dialback stuff for example

reminds me of the `Received[s2sout]` debug logs I saw today from my prosody.

but uh

s2s directions make me dizzy.

don't look at dialback

I won't. Dialback, PubSub and MIX are danger zones I avoid at all costs.

so, the attack is rather hard and unlikely (it is more likely that you’ll be able to intercept the sent stanza and send a reply without having to guess the @id) and requires fault in another component

huh, putting dialback into the same bucket as pubsub and mix is ... interesting

jonas’: having multiple PRNGs available might lead to accidentally using a weak one for something sensitive, and if it's something that can slowly leak state that might be bad

Zash, that’s what sebi is saying

Not reading everything, but predictable IDs are a privacy leak rather than a practical attack, for the most part.

how are they a privacy leak?

<message id='sessionstanza4234230498723408974'><body>Sorry, I've only just come online, I've not been ignoring you</...

right

that’s something different than just predictability though

that’s sequential

It's somewhere in between, I think.

a mersenne twister is predictable (with enough computing and enough samples), but by seeing a value, you don’t know whether that’s the first, tenth, or 1000th value

It doesn't have to be strictly sequential to have this property.

mmm

I see your point though

This was mostly a problem for two reasons: 1) People were using 1,2,3... 2) Some libraries are (were?) completely broken and ignored the sender of a stanza as long as the id was expected, so you could inject weird iq responses and they'd trust them.

(2) Is just brokenness

(1) has the unexpected privacy implications.

yaxim is full of (2).

I don't think we need crypto-secure IDs.

Now give me a CVE!

Ge0rG: Weren't there one or more for that already?

Zash: not for that, no

yaxim's got two CVEs so far IIRC.

Ge0rG: I distinctly remember CVE(s) for not checking 'from' on eg roster pushes that affected a *ton* of clients.

Zash: yeah, I think smack wasn't affected or somesuch

memberbot is online for accepting your votes on the board & council election

Great! Thank you Alex

And good luck everyone!

thanks, Alex

Last time I checked, one of the applications was still empty...

they’re all non-empty :)

there was some hard last minute work happening ;-)

as usual..

Gajim uses uuid as id, but i just checked and indeed it does not check the answer adress

just the id

how bad is this?

i guess if someone is in the position to utilize that, then the id doesnt matter anyway because he is a man in the middle?

hm yeah the chance that another contact guesses the uuid at the exact right time is impossible