XSF Discussion - 2019-01-05

hi, i am having a question regarding the correct use of starttls. i noticed that sleekxmpp just copies the response from the server, and the servers seem to accept that. this leads to the following: s: <starttls><required/></starttls> c: <starttls><required/></starttls> s: <proceed> is this the correct usage, or should child elements be disallowed at this stage? current implementation also allows sending of arbitrary elements like <starttls><penis-required/></starttls>...

Lol

prezident: You're supposed to ignore everything you don't understand.

prezident, most implementations don’t reject invalid attributes or children, but you shouldn’t rely on that.

well, the rfc only states <starttls/> on client side

does that leave room for interpretation?

ejabberd does reject a lot of invalid xml, but not that for example

while it might not be helpful to just change current implementations i was just wondering how to interpret the rfc

prezident, it’s definitely helpful to fix this library to only send what the RFC is asking.

Note that SleekXMPP is kinda abandonned, and you should migrate to slixmpp at some point.

i am on the other side ;)

You should tell your users to move to a non-abandonned library then. ^^

might be fixed already, who knows

the library wasnt my main focus really

i was more like wondering why no server rejects that

In the case of Prosody, it just doesn't really look that closely

Why would it? What does it matter?

i did not take into account that unknown child elements are not to be parsed

but at that stage, there really never are any children

Well, they're to be parsed, but unknown stuff is usually ignored.

Although technically that's meant to be stuff in unknown namespaces.

The code in question doesn't even inspect the payload. It gets triggered by the name and xmlns combo and does its thing

A server would be in its rights to reject that, because it's shoving stuff into a namespace it shouldn't be - but I'd be surprised to find many entities that did so, there's just no value.

Hmm, I can't see prezident's messages.

prezident, please write something.

kev: its a matter of how the parser is implemented

Half-Shot, nothing should hide his messages from you, they are well-formed.

unicode thing?

message id attr?

miranda does not generate ids for groupchat messages

that could be it

prezident: All XML needs to be parsed, because malformed XML must be rejected.

you also can’t really not-parse parts of the XML

kev: no i meant how you walk through the elements

if you want to see what’s behind it

Link Mauve: Okay, could also be a bug in xmpp.js :|

> <message ... id="07d1636f-0e7e-4700-a6b5-edb12ff2ee6d-50B"><body>unicode thing?</body></message>

ah yes

Is that ... poezio adding the id?

yes, poezio does that

or rather, slixmpp ✏

for reasons which are unclear to me

to identify the message...

prezident, on *received* messages? ;-)

that doesn’t make sense

yes, when reentering the room the client needs to know which messages it already showed to the user

which or what? whatever...

That doesn't make sense

it does

I think we’re misunderstanding each other

or the client will save the same message again in its history

slixmpp is adding IDs to messages it has received

random IDs

and will display it one time more on every entering of the chatroom...

since the IDs are added by the *receiving* client and independent of the content, there is no way this can be used for deduplication

oh sorry

to make deduplication work, you have to add IDs on the sending client

or the MUC service

Or somehow magically generate the same ID for the duplicate message again

speaking of which, I’d like MUC services to add IDs to messages if the sending client didn’t.

Didn't we just add "server doesn't touch ids" as a feature?

jonas: mam adds an archive id to messages which fullfils this requirement

Zash, yeah, but non-existent IDs aren’t IDs :)

jonas’, +1, we should add that to MUC.

prezident, requires the MUC to support MAM though, just for simple deduplication

Do it

Do it now

jonas’: of course a workaround only

Zash, where do I get random IDs from again in prosody?

jonas’: util.id

but as this is only important for channels with history, isnt mam the right way to go anyway?

you said that the other day, but I forgot

thanks

"right" in the sense of best practice

jonas’: I'm wondering if the "medium" one should be closer to uuidv4 in entropy

Zash, sounds reasonable

Zash, https://paste.debian.net/hidden/69c1e82e/ ;-)

:)

ah, it ate the tabs again

Ah, so I couldn't see `prezidents` message because the ID wasn't there/ wasn't unique and the bridge dedupes messages across it's users using the ID.

it should not do that with live messages

only with history messages

(if at all)

I'll stick on debug logging to be sure, but I'm certain I've seen the same message arrive for all the participants connected via the bridge.

Well, of course, each participant gets a copy of the message.

you could pick a primary participant whose message view you treat as authoritative

Skype bridge thing from back in the day had a magic user called "Skype" that was that primary user

Probably more correct to forward each message only to the occupant they're destined for

that, too

Potential security issue if the MUC does things like security label based filtering.

1

I was told to advertise this a bit, so also in this MUC: My MIX implementation in QXmpp has working parsing/serialization of most of what's in XEP-0369 and XEP-0405.

https://github.com/qxmpp-project/qxmpp/pull/174 https://github.com/qxmpp-project/qxmpp/pull/175 https://github.com/xsf/xeps/pull/730

‎lnj‎: nice!

TIL https://xmpp.org/extensions/xep-0247.html, which seems like a cool idea. It references http://xmpp.org/extensions/inbox/jingle-xtls.html though, as in it references an /inbox/ XEP. Any idea what happened about it? Why it was not accepted etc.

And todays XMPP archeology subject is ...

> We assume that all XMPP entities will have X.509 certificates hnnnm

I do wonder if something like SPK or SRP would work

Oh, it mentions SRP

Could do stuff with anonmous ciphers and sending some verifier in-band too.

pep.: I imagine the objection is that it's not perfect and you need to trust the server

As a server admin, I would very much like to benefit from plausible deniability, if that can ever be a thing :)

https://mail.jabber.org/pipermail/standards/2009-January/020877.html is the only relevant thing I find from 2009

pep.: "I could plausibly have MITMed your Jingle" ;)

I know..

Is there even encryption for Jingle today?

In use?

I assume XTLS was an attempt at that, maybe the only one(?)

Anybody ever used ESessions?

There's https://xmpp.org/extensions/xep-0396.html but it's pretty new and I haven't heard about anything using it

https://xmpp.org/extensions/xep-0218.html

Maybe one time in 2008

Back when we had working Jingle VoIP and video chat

On phones!!!!1

:D

So yeah reading about XTLS and the first condition being to have an x509 cert, that's going to be meh

"typically self-signed and automatically generated by an XMPP client", and we come back to the same issues we have with verifying fingerprints

Yeah, that's kinda meh

You can do TLS without certs

But then what do you trust

You trust that the NSA is too lazy to MITM your cat pictures

Send some hash through the XMPP channel to the other party and verify it that way

Eg like the channel binding hash used in SCRAM-PLUS

https://www.youtube.com/watch?v=AsXKS8Nyu8Q

Then you get a channel should be about as secure as the XMPP path

Zash, thanks for volunteering! ✏

pep.: done. prosody already supports this ;)

You mean 247 + encrypted session?

since jingle is purely a client thing and all the server needs is to route iq stanzas :)

That's all client stuff right

pff

I knew there was a trick

:D

One does not simply solve the key problem

If OMEMO or some other E2EE had full stanza encryption you could have bootstrapped secure XTLS over that

The thing here with clients negociating encrypted sessions is that we can't even use DANE-like things right?

yes

Zash, then you trust that you OMEMO sessions is "Secure"

you have to trust something

yes

Trust, a complicated story.

session*

There's DANE for S/MIME so it's not entirely irrelevant

I hear you should not use S/MIME anymore for emails at least, (following the efail things. https://media.ccc.de/v/35c3-9463-attacking_end-to-end_email_encryption)

aren’t all the efail things broken cilents which will be fixed eventually?

Even if you manage to convince E2EE enthusiasts to trust DNSSEC...

or is there something conceptually kaputt with S/MIME?

jonas’, I think there's a bit more to it, as in it doesn't include checksum or sth? Don't quote me on this, watch the talk if you have time

Everything is broken

I don’t like "{watch,read,…} $thing" replies

Either that or I watch it again and quote it for you :/

hm

let me find the specific parts

jonas’: I looked at your message but I did not understand it

pep., I’m going to be busy for the remainder of the day anyways

> S/MIME doesn't have a MAC (Message Authentication Code), which means it cannot detect by standards wether a message was changed or not And apparently the Efail-related changes to S/MIME are: > It is therefore recommended that mail systems migrate to using AES-GCM as quickly as possible ^ Efail CBC Gadget attack, and for direct exfiltration attack: > Clients SHOULD treat each of the different pieces of the multipart/mixed construct as being of different origins. So yes that's a client issue, but the guy says "You can just try to convince your email client not to do any external connection. [..] for a cryptographer, this means _broken_"

Apparently OpenPGP is a bit better in a way that it has MDC, Modification Detection Code, but not all keys do this. It was added as info on the key directly for backwards compatibility. And lots of keys don't. Also the standard was not entirely clear what to do with MDC errors, and would still pass the payload to clients