XSF Discussion - 2018-11-05


  1. ralphm

    vanitasvitae: done, should be crawled somewhere in the next 30min

  2. vanitasvitae

    ralphm: nice. Thank you very much :)

  3. jonas’

    is there any reason to use a CSPRNG for stanza @id values?

  4. jonas’

    (if one checks both @from and @id when associating replies)

  5. Zash

    jonas’: Probably overkill, but why not?

  6. jonas’

    Zash, takes double the time

  7. jonas’

    (when sourced from getrandom())

  8. Zash

    because syscall?

  9. jonas’

    yeah

  10. jonas’

    (probably)

  11. Zash

    jonas’: compared to what? and is it a problem?

  12. jonas’

    Zash, compared to the mersenne twister

  13. jonas’

    we’re revisiting how aioxmpp generates stanza IDs

  14. Ge0rG

    I wonder what the possible attack vector is. Injecting IQ responses ahead of the actual response? By whom?

  15. Ge0rG

    Unless you have a smack3 level of stanza correlation, where you just run a packet listener based on the packet ID, ignoring the @from

  16. jonas’

    that was my train of thought, too

  17. jonas’

    anyone who would be able to inject a reply is on the path anyways and can observe the @from and the @id

  18. jonas’

    assuming that s2s authentication and routing in servers works as intended

  19. Ge0rG

    a bold assumption.

  20. jonas’

    so if you can off-path inject stanzas due to broken s2s authentication (but you cannot intercept them entirely), being able to predict stanza IDs would be useful

  21. jonas’

    this could work with broken one-way s2s auth, some dialback stuff for example

  22. Ge0rG

    reminds me of the `Received[s2sout]` debug logs I saw today from my prosody.

  23. jonas’

    but uh

  24. Ge0rG

    s2s directions make me dizzy.

  25. Zash

    don't look at dialback

  26. Ge0rG

    I won't. Dialback, PubSub and MIX are danger zones I avoid at all costs.

  27. jonas’

    so, the attack is rather hard and unlikely (it is more likely that you’ll be able to intercept the sent stanza and send a reply without having to guess the @id) and requires fault in another component

  28. jonas’

    huh, putting dialback into the same bucket as pubsub and mix is ... interesting

  29. Zash

    jonas’: having multiple PRNGs available might lead to accidentally using a weak one for something sensitive, and if it's something that can slowly leak state that might be bad

  30. jonas’

    Zash, that’s what sebi is saying

  31. Kev

    Not reading everything, but predictable IDs are a privacy leak rather than a practical attack, for the most part.

  32. jonas’

    how are they a privacy leak?

  33. Kev

    <message id='sessionstanza4234230498723408974'><body>Sorry, I've only just come online, I've not been ignoring you</...

  34. jonas’

    right

  35. jonas’

    that’s something different than just predictability though

  36. jonas’

    that’s sequential

  37. Kev

    It's somewhere in between, I think.

  38. jonas’

    a mersenne twister is predictable (with enough computing and enough samples), but by seeing a value, you don’t know whether that’s the first, tenth, or 1000th value

  39. Kev

    It doesn't have to be strictly sequential to have this property.

  40. jonas’

    mmm

  41. jonas’

    I see your point though

  42. Kev

    This was mostly a problem for two reasons: 1) People were using 1,2,3... 2) Some libraries are (were?) completely broken and ignored the sender of a stanza as long as the id was expected, so you could inject weird iq responses and they'd trust them.

  43. Kev

    (2) Is just brokenness

  44. Kev

    (1) has the unexpected privacy implications.

  45. Ge0rG

    yaxim is full of (2).

  46. Kev

    I don't think we need crypto-secure IDs.

  47. Ge0rG

    Now give me a CVE!

  48. Zash

    Ge0rG: Weren't there one or more for that already?

  49. Ge0rG

    Zash: not for that, no

  50. Ge0rG

    yaxim's got two CVEs so far IIRC.

  51. Zash

    Ge0rG: I distinctly remember CVE(s) for not checking 'from' on eg roster pushes that affected a *ton* of clients.

  52. Ge0rG

    Zash: yeah, I think smack wasn't affected or somesuch

  53. Alex

    memberbot is online for accepting your votes on the board & council election

  54. Seve

    Great! Thank you Alex

  55. Seve

    And good luck everyone!

  56. jonas’

    thanks, Alex

  57. Ge0rG

    Last time I checked, one of the applications was still empty...

  58. jonas’

    they’re all non-empty :)

  59. Alex

    there was some hard last minute work happening ;-)

  60. jonas’

    as usual..

  61. lovetox

    Gajim uses uuid as id, but i just checked and indeed it does not check the answer adress

  62. lovetox

    just the id

  63. lovetox

    how bad is this?

  64. lovetox

    i guess if someone is in the position to utilize that, then the id doesnt matter anyway because he is a man in the middle?

  65. lovetox

    hm yeah the chance that another contact guesses the uuid at the exact right time is impossible