-
moparisthebest
what's the proper thing to use for a new namespace for a ProtoXEP ?
-
moparisthebest
like a URL I control, or make something up in urn:xmpp:X ?
-
moparisthebest
went ahead with my own URL for now, if that's not right could someone let me know? https://github.com/xsf/xeps/pull/765
-
zinid
moparisthebest: `urn:xmpp:X:0`
-
Wiktor
Isn't it `urn:xmpp:tmp:X`?
-
zinid
Wiktor: I think we got rid of tmp?
-
Wiktor
Oh, sorry then, I'm not up to date with this stuff
-
zinid
the problem with tmp is that it's quite possible that namespace wouldn't be bumped
-
zinid
and tmp will go into final š
-
Wiktor
Yeah, that's the same with `X-*` headers in HTTP. They are discouraged now.
-
jonasā
moparisthebest, use something which is sensible from the urn:xmpp: namespace
-
zinid
urn:xmpp:dox apparently
-
jonasā
for example, yes
-
jonasā
:dox:0 even
-
zinid
let's polute the namespace by april 1st jokes!
-
jonasā
is that an april 1st joke?
-
zinid
yes
-
jonasā
oh
-
jonasā
I thought moparisthebest was serious.
-
zinid
yeah, you never know
-
jonasā
indeed
-
zinid
probably worth adding "humor" to the namespace path š
-
jonasā
:tmp would be less obvious and still ok
-
zinid
whatever, I just think aquiring "dox" acronym is not a very good idea, because it sounds nice and may be reused in more serious xeps š
-
jonasā
but itās also fun because of doxing
-
zinid
yeah, so just append something to the namespace, don't let it be urn:xmpp:dox:*
-
zinid
urn:xmpp:humor:dox, whatever
-
jonasā
moparisthebest, urn:xmpp:tmp:dox seems good for now
-
jonasā
:tmp shouldnāt be used by serious protoxeps, and it looks innocent enough :)
-
dwd
We used to use :tmp: for all Experimental XEPs, but dropped it because it wasn't a stable namespace, and we wanted people to implement early and safely with Experimental. Of course, this has other downsides, like deployment pressure, but that's something I'm happier to live with.
-
dwd
But loosely, :tmp: was our X-.
-
dwd
zinid, urn:xmpp:humor is reserved for Officially Humourous Things, surely? Do we need a work team to decide what is Officially Funny?
-
zinid
dwd, sure we can schedule that work at April 1st
-
Seve
Not a fan of that personally
-
Guus
Seve you might have missed the importance of the suggested date. š
-
Ge0rG
https://matrix.org/blog/2019/03/12/breaking-the-100bps-barrier-with-matrix-meshsim-coap-proxy/ š
-
zinid
Ge0rG: already on HN?
-
Ge0rG
No idea. But it's 25bps higher than STANAG XMPP
-
zinid
damn
-
Ge0rG
Higher = worse.
-
zinid
ah, right
-
zinid
good then š
-
zinid
I use stanag all the time in the lift
-
Guus
How often are you in a lift?
-
zinid
I didn't count š¤
-
zinid
a few times a day?
-
zinid
subway is also a good source of high quality stanags
-
Guus
Please add a "XMPP STANAG TESTING ZONE" sticker.
-
Guus
https://www.lemark.co.uk/custom-printing/printed-barrier-tape/ š
-
Ge0rG
š
-
moparisthebest
I updated the namespace on the PR jonasā
-
moparisthebest
also that was part of my evil plan all along, I'll push this thing all the way to final leaving everyone wondering forever more "wait a second, is this a joke or not" >:)
-
jonasā
humorous track doesnāt have final
-
moparisthebest
I have it as Standards Track :D
-
Zash
Implement and deploy!
-
Zash
Like the JSON for BOSH XEP
-
moparisthebest
Zash, already done! https://github.com/moparisthebest/jDnsProxy/tree/dox deployed at xmpp:dns@moparisthebest.com/listener
-
Zash
!
-
moparisthebest
run it on your router, force your whole network DNS queries over XMPP
-
MattJ
and one day it will surface that DNS over HTTP was actually a similar joke that went too far?
-
moparisthebest
actually in ways this is better than DoH because of the long lived connection, no TLS setup each time etc
-
jonasā
you can have long-lived connections with HTTP, too
-
Zash
You can.
-
Zash
But do you?
-
moparisthebest
not quite *as* long lived, or as easily
-
moparisthebest
that is to say, the server is gonna disconnect you regularly
-
jonasā
a DoX server might as well
-
MattJ
DoXoH
-
jonasā
DoX-over-BOSH?
-
MattJ
Yes
-
moparisthebest
DoX isn't necessarily a server, my implementation of it right now is a client
-
Zash
over IP-over-DNS?
-
jonasā
moparisthebest, but you need a server as entry-point
-
moparisthebest
sure
-
jonasā
and that might disconnect you
-
moparisthebest
use it in combination with ping?
-
Ge0rG
moparisthebest: does it respond to plaintext requests?
-
Ge0rG
You always need to introduce a legacy mode
-
moparisthebest
nope needs raw DNS bytes
-
Ge0rG
How am I supposed to operate it from mobile, then? š
-
moparisthebest
make a program to convert text to raw bytes, I use dig :D
-
moparisthebest
from mobile, use dig from Termux
-
Guus
At some point I'm going to throw a bucket full of ice cold water over you guys.
- jonasā steps away
- jonasā holds and caresses his sed(1)
-
jonasā
my preciouuusssss
- Guus adds more ice to the bucket.
-
jonasā
speaking of twisting stuff in ways to have fun with it: jslinux (<https://bellard.org/jslinux/vm.html?url=https://bellard.org/jslinux/buildroot-x86-xwin.cfg&graphic=1>) supports X11 and networking by now, networking happens via a general ethernet-layer WebSocket VPN (see http://www.benjamincburns.com/2013/11/10/jor1k-ethmac-support.html )
-
flow
moparisthebest, I am not sure that DoX should be humorous, it could prove useful
-
moparisthebest
I agree
-
flow
uh, it is standards track
-
moparisthebest
yep I did that on purpose, I'd still like it released on April 1st just for the ensuing hilarity and confusion though :D
-
flow
I was assuming it to be a <type>humorous</type> XEP based on your comment to accept it on 1.4
-
flow
mission accomplished I'd say ;)
-
Zash
Master level trolling you got there :)
-
moparisthebest
yay
-
ralphm
moparisthebest: https://xmpp.org/extensions/xep-0053.html#namespaces
-
ralphm
(for reference)
-
Seve
>Seve you might have missed the importance of the suggested date. š Yes, I was saying that I don't feel very comfortable using XEPs for humorous things, just my personal opinon. I would just use a blog page or something that 1st of April and that's all.
-
ralphm
What is officially funny is up to the Editor.
-
ralphm
Seve: tough luck
-
Guus
who is German.
- Guus ducks, runs.
-
ralphm
Guus: tsk
-
Seve
ralphm, I'm not asking to change anything, just mentioning how I see it :) Never in my life encountered this, maybe that is english culture I don't know, but I'm not used to have official stuff being used for jokes, let's say. Again, this has been like that for ages, not going to ask for a change :)
-
ralphm
Seve: welcome to the world of standards bodies
-
ralphm
This might be a good start: https://tangentsoft.net/rfcs/humorous.html
-
moparisthebest
Seve, yea there is already a long history https://xmpp.org/extensions/xep-0183.html
-
ralphm
http://www.openrfc.org/humour.pl
-
Seve
moparisthebest, I'm aware :)
-
moparisthebest
besides in my opinion DoX is no more or less silly than DoH and everyone and their brother implements that so... :)
-
ralphm
I'm not sure if I agree DoH is silly in and of itself. I do think that having only two services for it (Google and Cloudflare) is terrible.
-
moparisthebest
and that quad9 one and anyone else that wants to run one
-
moparisthebest
but I agree with what I think your point is, that sending all DNS queries to a much smaller number of resolvers is a bad idea :)
-
ralphm
Right
-
ralphm
But as a protocol concept I'm not against.
-
Zash
But I am! HTTP-ification of all the things annoy me!
-
moparisthebest
start a DoX resolver now! be the change you want to see!
-
Zash
moparisthebest: Adding support to unbound you say?
-
moparisthebest
my resolver asks unbound yes
-
moparisthebest
which asks jdnsproxy, which asks a random dns-over-tls resolver over tor :)
-
moparisthebest
but you don't have to be *as* crazy
-
moparisthebest
you can just configure it to ask unbound
-
ralphm
I thought this was a great overview of this topic: https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem/
-
Ge0rG
Indeed, thanks for the link!
-
moparisthebest
the way I solve that personally is by querying DNS-over-TLS servers from a range of providers over tor
-
moparisthebest
I can trust I'm talking to who I think I am and evil exit nodes aren't modifying anything, they don't know who I am, no 1 provider has all queries, and I validate DNSSEC myself anyway
-
Ge0rG
That's... complicated
-
moparisthebest
what is?
-
Ge0rG
Your setup of DNS over Tor
-
moparisthebest
well I did end up writing jDnsProxy to support it yea, existing options weren't that great
-
moparisthebest
but *now* it's seamless :P
-
Ge0rG
Except for the 300ms latency?
-
moparisthebest
that's what serve-stale is for https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale
-
moparisthebest
also unbound has various options to keep well used queries refreshed and such, overall it works quite well
-
Ge0rG
Some days ago I realized that the smack socks proxy client doesn't work with orbot.
-
ralphm
moparisthebest: is DNSSEC really a good thing, though? I've always wondered about its true utility and this thread didn't make it better. https://news.ycombinator.com/item?id=19241225
-
Zash
Are you reading the comments? On HN of all places?
-
moparisthebest
ralphm, eh it's totally different, a CA can issue a cert, not put it in the (new) cert log, and browsers etc still mostly trust it
-
moparisthebest
while .com *could* falsely sign a bad key, it's crazy public to do so
-
ralphm
Because many comments are bad, that doesn't mean all of them are. If you take your position to the extreme, you can stop reading on the internet. Or anywhere, I suppose.
-
moparisthebest
basically impossible to do targetted attacks with DNSSEC
-
ralphm
moparisthebest: so I understand you trust the security aspects of DNSSEC itself?
-
Zash
HN seems to think that anything that isn't HTTPS needs to die. If it's not JSON over HTTPS, then why even care?
-
moparisthebest
ralphm, I think by itself it's better than the current CA setup we have now, but combining them would be even better
-
Zash
And in that world, where HTTPS protects you from everything harmful, there's no need for anything else. DNSSEC is useless. IPv6 is useless.
-
Ge0rG
moparisthebest: I think you can do a targeted attack if you have control over a TLD zone and mitm your victim.
-
Zash
And XMPP is the most useless thing of all, it's not even JSON over HTTPS. Why even bother!
-
Zash
SCRAM is also useless. Why not just send plain text passwords over HTTPS? Can't be more perfectly secure than that!
-
Seve
True dat
-
Ge0rG
I think the biggest selling point of DNSSEC got lost with letsencrypt.
-
Zash
Ge0rG: The price? Yes.
-
Zash
Let's Encrypt also killed CAcert.org
-
Ge0rG
(you can get a free trusted certificate for your deployment)
-
Ge0rG
Zash: that's not true. CACert perfectly killed itself.
-
Zash
And they're well on their way to killing all other CAs and becoming ultimate gatekeeper for everything. Especially since everything must be HTTPS
-
Ge0rG
Zash: you need to take your depression medicine! š
-
moparisthebest
Ge0rG: moparisthebest: I think you can do a targeted attack if you have control over a TLD zone and mitm your victim.
-
moparisthebest
if they also control a CA key and the victim isn't using DNS-over-$something_secure ???
-
moparisthebest
that seems like a pretty hard attack to pull off
-
Ge0rG
The second biggest selling point in my eyes would be secure delivery of client certificates, eg. for S/MIME
-
Ge0rG
moparisthebest: DANE can override Root CA trust. Any nobody is using Do# yet
-
moparisthebest
android ships by default using DNS-over-TLS so that's basically the opposite of nobody
-
Ge0rG
The biggest problem of DNSSEC isn't browsers but lack of support on TLDs and in resolvers
-
Ge0rG
moparisthebest: android 8?
-
ralphm
Regarding the targeted attacks, doesn't that depend on who the attacker is? E.g. I think state level actors get more control if you depends on DNSSEC. This problem also exists in the current public CA system, with countries like mine running an included CA. I'm not saying this is bad per se, but interesting if you're making threat models.
-
moparisthebest
I *think* it started with android 9
-
Ge0rG
So it's like 0.5% of Android devices? š¤£š¤£
-
Ge0rG
ralphm: yes, your conclusion is right. However, with certificate transparency, things have shifted again
-
moparisthebest
ralphm, I'm saying for a targeted attack with current CA setup, the attacker needs to MITM you and have *any* CA cert, with DNSSEC in the mix they'd need the DNSSEC root key, plus to compromise all the DNS servers from root all the way down to your domain, plus a CA cert
-
ralphm
Ge0rG: for CAs, yes
-
moparisthebest
it's just substantially harder
-
ralphm
moparisthebest: hence my reference to state actors
-
Ge0rG
moparisthebest: they only need to compromise one level of DNS on your domain path...
-
moparisthebest
and yes certificate transparency fixes a bit of that, but iirc only browsers check that?
-
Ge0rG
moparisthebest: if you have the signing key for domain.com from the crappy DNS cloud provider, you only need to mitm the victim
-
ralphm
Well certificate transparency fixes that for future occurrences by the same CA maybe, not individual cases.
-
zinid
moparisthebest: I think anyone can monitor CT logs?
-
moparisthebest
I pin the public key of my resolvers so owning any CA key won't help, they'd have to hack the specific provider
-
Zash
CT for DNSSEC. There, all problems with DNSSEC solved!! :)
-
moparisthebest
zinid, right but if you steal a CA cert and sign your own certificates those aren't in the CT logs, you have to check if it's in the CT log when deciding whether to trust it or not, I think only browsers do his right now
-
ralphm
I also like to point out that many companies have internal CAs to issue their own certs to be trusted. Once you include that in your list of trusted CAs, it also means that they can issue and thus MitM all the things.
-
zinid
stealing CA certificate sounds like a thing š
-
ralphm
Unless you have some form of cert/key/CA pinning
-
Ge0rG
ralphm: and they often do traffic inspection
-
Ge0rG
ralphm: luckily for them, modern browsers don't enforce pining if the server certificate is signed by a locally installed CA
-
Ge0rG
So corporate mitm still works
-
Ge0rG
Did I just spoil your day?
-
ralphm
No, I refused to install the company CA
-
ralphm
(or software that could do that)
-
Ge0rG
Not something one can typically do on company provided gear
-
ralphm
Yes, this is another thing I managed to avoid for all employers so far. All of my machines (usually ThinkPads) came fresh out of the vendor-sealed box.
-
Ge0rG
Only intercepted by the government once.
-
moparisthebest
I just wipe the corporate windows image and install linux :/
-
moparisthebest
had a friendly sysadmin get me a virtualbox corporate windows image to use for skype etc
-
moparisthebest
he's gone now though, don't know what I'll do when the forced windows 10 upgrade comes around :'(
-
ralphm
Upgrade the virtualbox?
-
moparisthebest
upgrade the windows 7 running in the virtualbox
-
ralphm
Or backup/clean your drive, have them install it, then convert the disk to a virtual one?
-
moparisthebest
I tried all ways of doing that before and none would work, always windows BSOD after conversion
-
moparisthebest
it might be different now though, that was windows 7 and also years ago
-
Ge0rG
Cool, Firefox now implemented HTTP upload! https://blog.mozilla.org/blog/2019/03/12/introducing-firefox-send-providing-free-file-transfers-while-keeping-your-personal-information-private/
-
ralphm
Make sure you keep hold of your license key
-
ralphm
Ge0rG: nice
-
zinid
Ge0rG, at what servers get those files uploaded?
-
Ge0rG
the Firefox cloud servers!
-
moparisthebest
firefox has DoH implemented too I think
-
moparisthebest
just not on by default, yet
-
zinid
Ge0rG, wow such private, much security
-
zinid
Why does Firefox Send require JavaScript? Firefox Send uses JavaScript to: Encrypt and decrypt files locally on the client instead of the server. Render the user interface. Manage translations on the website into various different languages. Collect data to help us improve Send in accordance with our Terms & Privacy. <------- PRIVACY
-
moparisthebest
I was going to say firefox *probably* encrypts locally, that's how their sync stuff works, it's pretty good
-
moparisthebest
unlike google who's entire business model is scraping all your info
-
zinid
so far google's business model works better š
-
moparisthebest
for google, not for users :)
-
zinid
right, that's _google's_ business model, not yours š
-
zinid
but collecting data?
-
zinid
"we collect your DNA to improve our DNA analyzer"
-
jonasā
send us your nudes to help us protect them! #facebook
-
bowlofeggs
i hate the "are you a human" google things because you are helping them train their AI bots for free
-
bowlofeggs
they should pay me for doing that
-
jonasā
they "pay" you by allowing you to access content \o/ (sarcasm)
-
bowlofeggs
well these things are often used by non-google sites
-
bowlofeggs
but yeah i catch your drift āŗ
-
bowlofeggs
there was a planet money where they talked about the inequity between what google makes per user and what they give that user for that data
-
bowlofeggs
iirc, google makes something around $1200 per year per user
-
bowlofeggs
and in exchange, that user getsā¦ e-mail
-
bowlofeggs
anyways, they interviewed some economist who thinks that someone will eventualyl start to pay users to use the services, in actual cash
-
bowlofeggs
to compete
-
bowlofeggs
the only problem is it that it would require enormous capital to compete with google, and you'd be competing by undercutting them, which requires even more enormous capital
-
bowlofeggs
well, "only" problem
-
bowlofeggs
there's also the network effect too of course
-
zinid
"also"
-
ralphm
Imagine they'd be good at doing social.
-
Zash
Google? Haven't they repeatedly failed at "social" things?
-
zinid
bowlofeggs, paying money to users is a huge taxing problem, especially when users come from many different countries, not sure how the tax will be administered in any particular country
-
bowlofeggs
true
-
bowlofeggs
so yeah, lots of problems āŗ
-
bowlofeggs
but the larger point was that users are not getting a good deal
-
moparisthebest
they have plenty of users using them for free...
-
moparisthebest
I don't honestly know the solution there, it's easy enough for me to run xmpp+email etc for family, but if I get hit by a bus they'll all move back to gmail for sure :'(
-
moparisthebest
at least until my kids get older and I train them >:)
-
bowlofeggs
well you could pay a company to host you, that has acceptable ToS
-
bowlofeggs
the key is that the company should make money from being paid for the service, instead of making money by selling data
-
bowlofeggs
obvs, you have to trust them too
-
bowlofeggs
but even if you self host, you have to trust the vendors for the software and hardware you use to do that
-
bowlofeggs
so you can't escape trust, it's just a matter of where you want to draw the line
-
ralphm
Zash: my point?
-
bowlofeggs
i personally self host, but it's more because i find it kind of satisfying
-
moparisthebest
also legally at least in the USA if your data is on a 3rd party server, the govt can access it any time without a warrant or notice, for any reason
-
bowlofeggs
it's sort of the proof of how cool open source software is āŗ
-
bowlofeggs
moparisthebest, indeed
-
moparisthebest
https://en.wikipedia.org/wiki/Third-party_doctrine
-
moparisthebest
so just from a principle point of view, you have to self-host on a server in your house :'(
-
Alex
hey guys, anyone ready for our member meeting?
-
Zash
Hey!
-
Guus
O/
-
moparisthebest
been waiting for it all day
-
Alex
LOL
-
Alex
okay
- Alex bangs the gavel
-
Alex
here is our Agenda for today: https://wiki.xmpp.org/web/Meeting-Minutes-2019-03-12
-
Alex
1) Call for Quorum
-
Alex
as you can see 31 members voted via memberbot. So we have a quorum
-
Alex
2) Items Subject to a Vote
-
Alex
new and returning members. You can see all applicants here: https://wiki.xmpp.org/web/Membership_Applications_Q1_2019
-
Alex
3) Opportunity for XSF Members to Vote in the Meeting
-
Alex
anyone here who has not voted yet and wants to vote here in the meeting?
-
Alex
looks like nobody want to vote in the meeting
-
Alex
then I can start counting and work on the result
- Guus š„
-
Alex
4) Announcement of Voting Results
-
Alex
When you reload the page you can see the results: https://wiki.xmpp.org/web/Meeting-Minutes-2019-03-12#Announcement_of_Voting_Results
-
Alex
All applicants were accepted
-
Alex
All Reappliers except of Bartlomiej Gorny were accepted
-
Ge0rG
Yay!
-
Alex
5) Any Other Business?
-
Neustradamus
Thanks!
-
Alex
and congrats to everyone ;-)
-
Ge0rG
Congrats to everyone but the person who didn't fill out the application
-
Alex
6) Formal Adjournment
-
Alex
I motion that we adjourn
-
Zash
š
-
Guus
Seconded
- Alex bangs the gavel
-
Guus
Thank you once again, Alex
-
Alex
I am travelling right now. Willl send out the minute sand create the application page for the next quarter asap
-
Guus
Alex: thanks, safe travels!
-
Zash
Thanks, Alex.
-
Syndace
Weee thanks :D Happy to be an official member now!
-
Guus
Welcome to the dark side
-
Zash
Welcome to the sharp side, here's your angles: <<<<<
-
Ge0rG
Zash: we also need the closing ones!
-
Zash
Just turn them around! :)
-
Neustradamus
Syndace: Welcome :)
-
zinid
> All applicants were accepted š¤£š¤£š¤£
-
ralphm
Interesting blog post + comments (hi Zash)
-
ralphm
news.ycombinator.com/item?id=19370281
-
ralphm
Surprisingly positive about (and reminiscent of) XMPP.
-
Ge0rG
Represented by pidgin.
-
Zash
Kev, my server tells me your cert expired