XSF Discussion - 2019-03-12

what's the proper thing to use for a new namespace for a ProtoXEP ?

like a URL I control, or make something up in urn:xmpp:X ?

went ahead with my own URL for now, if that's not right could someone let me know? https://github.com/xsf/xeps/pull/765

moparisthebest: `urn:xmpp:X:0`

Isn't it `urn:xmpp:tmp:X`?

Wiktor: I think we got rid of tmp?

Oh, sorry then, I'm not up to date with this stuff

the problem with tmp is that it's quite possible that namespace wouldn't be bumped

and tmp will go into final 😁

Yeah, that's the same with `X-*` headers in HTTP. They are discouraged now.

moparisthebest, use something which is sensible from the urn:xmpp: namespace

urn:xmpp:dox apparently

for example, yes

:dox:0 even

let's polute the namespace by april 1st jokes!

is that an april 1st joke?

yes

oh

I thought moparisthebest was serious.

yeah, you never know

indeed

probably worth adding "humor" to the namespace path 🙂

:tmp would be less obvious and still ok

whatever, I just think aquiring "dox" acronym is not a very good idea, because it sounds nice and may be reused in more serious xeps 😛

but it’s also fun because of doxing

yeah, so just append something to the namespace, don't let it be urn:xmpp:dox:*

urn:xmpp:humor:dox, whatever

moparisthebest, urn:xmpp:tmp:dox seems good for now

:tmp shouldn’t be used by serious protoxeps, and it looks innocent enough :)

We used to use :tmp: for all Experimental XEPs, but dropped it because it wasn't a stable namespace, and we wanted people to implement early and safely with Experimental. Of course, this has other downsides, like deployment pressure, but that's something I'm happier to live with.

But loosely, :tmp: was our X-.

zinid, urn:xmpp:humor is reserved for Officially Humourous Things, surely? Do we need a work team to decide what is Officially Funny?

dwd, sure we can schedule that work at April 1st

Not a fan of that personally

Seve you might have missed the importance of the suggested date. 🙂

https://matrix.org/blog/2019/03/12/breaking-the-100bps-barrier-with-matrix-meshsim-coap-proxy/ 😁

Ge0rG: already on HN?

No idea. But it's 25bps higher than STANAG XMPP

damn

Higher = worse.

ah, right

good then 😁

I use stanag all the time in the lift

How often are you in a lift?

I didn't count 🤔

a few times a day?

subway is also a good source of high quality stanags

Please add a "XMPP STANAG TESTING ZONE" sticker.

https://www.lemark.co.uk/custom-printing/printed-barrier-tape/ 😏

👍

I updated the namespace on the PR jonas’

also that was part of my evil plan all along, I'll push this thing all the way to final leaving everyone wondering forever more "wait a second, is this a joke or not" >:)

humorous track doesn’t have final

I have it as Standards Track :D

Implement and deploy!

Like the JSON for BOSH XEP

Zash, already done! https://github.com/moparisthebest/jDnsProxy/tree/dox deployed at xmpp:dns@moparisthebest.com/listener

!

run it on your router, force your whole network DNS queries over XMPP

and one day it will surface that DNS over HTTP was actually a similar joke that went too far?

actually in ways this is better than DoH because of the long lived connection, no TLS setup each time etc

you can have long-lived connections with HTTP, too

You can.

But do you?

not quite *as* long lived, or as easily

that is to say, the server is gonna disconnect you regularly

a DoX server might as well

DoXoH

DoX-over-BOSH?

Yes

DoX isn't necessarily a server, my implementation of it right now is a client

over IP-over-DNS?

moparisthebest, but you need a server as entry-point

sure

and that might disconnect you

use it in combination with ping?

moparisthebest: does it respond to plaintext requests?

You always need to introduce a legacy mode

nope needs raw DNS bytes

How am I supposed to operate it from mobile, then? 😜

make a program to convert text to raw bytes, I use dig :D

from mobile, use dig from Termux

At some point I'm going to throw a bucket full of ice cold water over you guys.

my preciouuusssss

speaking of twisting stuff in ways to have fun with it: jslinux (<https://bellard.org/jslinux/vm.html?url=https://bellard.org/jslinux/buildroot-x86-xwin.cfg&graphic=1>) supports X11 and networking by now, networking happens via a general ethernet-layer WebSocket VPN (see http://www.benjamincburns.com/2013/11/10/jor1k-ethmac-support.html )

moparisthebest, I am not sure that DoX should be humorous, it could prove useful

I agree

uh, it is standards track

yep I did that on purpose, I'd still like it released on April 1st just for the ensuing hilarity and confusion though :D

I was assuming it to be a <type>humorous</type> XEP based on your comment to accept it on 1.4

mission accomplished I'd say ;)

Master level trolling you got there :)

yay

moparisthebest: https://xmpp.org/extensions/xep-0053.html#namespaces

(for reference)

>Seve you might have missed the importance of the suggested date. 🙂 Yes, I was saying that I don't feel very comfortable using XEPs for humorous things, just my personal opinon. I would just use a blog page or something that 1st of April and that's all.

What is officially funny is up to the Editor.

Seve: tough luck

who is German.

Guus: tsk

ralphm, I'm not asking to change anything, just mentioning how I see it :) Never in my life encountered this, maybe that is english culture I don't know, but I'm not used to have official stuff being used for jokes, let's say. Again, this has been like that for ages, not going to ask for a change :)

Seve: welcome to the world of standards bodies

This might be a good start: https://tangentsoft.net/rfcs/humorous.html

Seve, yea there is already a long history https://xmpp.org/extensions/xep-0183.html

http://www.openrfc.org/humour.pl

moparisthebest, I'm aware :)

besides in my opinion DoX is no more or less silly than DoH and everyone and their brother implements that so... :)

I'm not sure if I agree DoH is silly in and of itself. I do think that having only two services for it (Google and Cloudflare) is terrible.

and that quad9 one and anyone else that wants to run one

but I agree with what I think your point is, that sending all DNS queries to a much smaller number of resolvers is a bad idea :)

Right

But as a protocol concept I'm not against.

But I am! HTTP-ification of all the things annoy me!

start a DoX resolver now! be the change you want to see!

moparisthebest: Adding support to unbound you say?

my resolver asks unbound yes

which asks jdnsproxy, which asks a random dns-over-tls resolver over tor :)

but you don't have to be *as* crazy

you can just configure it to ask unbound

I thought this was a great overview of this topic: https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem/

Indeed, thanks for the link!

the way I solve that personally is by querying DNS-over-TLS servers from a range of providers over tor

I can trust I'm talking to who I think I am and evil exit nodes aren't modifying anything, they don't know who I am, no 1 provider has all queries, and I validate DNSSEC myself anyway

That's... complicated

what is?

Your setup of DNS over Tor

well I did end up writing jDnsProxy to support it yea, existing options weren't that great

but *now* it's seamless :P

Except for the 300ms latency?

that's what serve-stale is for https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale

also unbound has various options to keep well used queries refreshed and such, overall it works quite well

Some days ago I realized that the smack socks proxy client doesn't work with orbot.

moparisthebest: is DNSSEC really a good thing, though? I've always wondered about its true utility and this thread didn't make it better. https://news.ycombinator.com/item?id=19241225

Are you reading the comments? On HN of all places?

ralphm, eh it's totally different, a CA can issue a cert, not put it in the (new) cert log, and browsers etc still mostly trust it

while .com *could* falsely sign a bad key, it's crazy public to do so

Because many comments are bad, that doesn't mean all of them are. If you take your position to the extreme, you can stop reading on the internet. Or anywhere, I suppose.

basically impossible to do targetted attacks with DNSSEC

moparisthebest: so I understand you trust the security aspects of DNSSEC itself?

HN seems to think that anything that isn't HTTPS needs to die. If it's not JSON over HTTPS, then why even care?

ralphm, I think by itself it's better than the current CA setup we have now, but combining them would be even better

And in that world, where HTTPS protects you from everything harmful, there's no need for anything else. DNSSEC is useless. IPv6 is useless.

moparisthebest: I think you can do a targeted attack if you have control over a TLD zone and mitm your victim.

And XMPP is the most useless thing of all, it's not even JSON over HTTPS. Why even bother!

SCRAM is also useless. Why not just send plain text passwords over HTTPS? Can't be more perfectly secure than that!

True dat

I think the biggest selling point of DNSSEC got lost with letsencrypt.

Ge0rG: The price? Yes.

Let's Encrypt also killed CAcert.org

(you can get a free trusted certificate for your deployment)

Zash: that's not true. CACert perfectly killed itself.

And they're well on their way to killing all other CAs and becoming ultimate gatekeeper for everything. Especially since everything must be HTTPS

Zash: you need to take your depression medicine! 😜

Ge0rG: moparisthebest: I think you can do a targeted attack if you have control over a TLD zone and mitm your victim.

if they also control a CA key and the victim isn't using DNS-over-$something_secure ???

that seems like a pretty hard attack to pull off

The second biggest selling point in my eyes would be secure delivery of client certificates, eg. for S/MIME

moparisthebest: DANE can override Root CA trust. Any nobody is using Do# yet

android ships by default using DNS-over-TLS so that's basically the opposite of nobody

The biggest problem of DNSSEC isn't browsers but lack of support on TLDs and in resolvers

moparisthebest: android 8?

Regarding the targeted attacks, doesn't that depend on who the attacker is? E.g. I think state level actors get more control if you depends on DNSSEC. This problem also exists in the current public CA system, with countries like mine running an included CA. I'm not saying this is bad per se, but interesting if you're making threat models.

I *think* it started with android 9

So it's like 0.5% of Android devices? 🤣🤣

ralphm: yes, your conclusion is right. However, with certificate transparency, things have shifted again

ralphm, I'm saying for a targeted attack with current CA setup, the attacker needs to MITM you and have *any* CA cert, with DNSSEC in the mix they'd need the DNSSEC root key, plus to compromise all the DNS servers from root all the way down to your domain, plus a CA cert

Ge0rG: for CAs, yes

it's just substantially harder

moparisthebest: hence my reference to state actors

moparisthebest: they only need to compromise one level of DNS on your domain path...

and yes certificate transparency fixes a bit of that, but iirc only browsers check that?

moparisthebest: if you have the signing key for domain.com from the crappy DNS cloud provider, you only need to mitm the victim

Well certificate transparency fixes that for future occurrences by the same CA maybe, not individual cases.

moparisthebest: I think anyone can monitor CT logs?

I pin the public key of my resolvers so owning any CA key won't help, they'd have to hack the specific provider

CT for DNSSEC. There, all problems with DNSSEC solved!! :)

zinid, right but if you steal a CA cert and sign your own certificates those aren't in the CT logs, you have to check if it's in the CT log when deciding whether to trust it or not, I think only browsers do his right now

I also like to point out that many companies have internal CAs to issue their own certs to be trusted. Once you include that in your list of trusted CAs, it also means that they can issue and thus MitM all the things.

stealing CA certificate sounds like a thing 😂

Unless you have some form of cert/key/CA pinning

ralphm: and they often do traffic inspection

ralphm: luckily for them, modern browsers don't enforce pining if the server certificate is signed by a locally installed CA

So corporate mitm still works

Did I just spoil your day?

No, I refused to install the company CA

(or software that could do that)

Not something one can typically do on company provided gear

Yes, this is another thing I managed to avoid for all employers so far. All of my machines (usually ThinkPads) came fresh out of the vendor-sealed box.

Only intercepted by the government once.

I just wipe the corporate windows image and install linux :/

had a friendly sysadmin get me a virtualbox corporate windows image to use for skype etc

he's gone now though, don't know what I'll do when the forced windows 10 upgrade comes around :'(

Upgrade the virtualbox?

upgrade the windows 7 running in the virtualbox

Or backup/clean your drive, have them install it, then convert the disk to a virtual one?

I tried all ways of doing that before and none would work, always windows BSOD after conversion

it might be different now though, that was windows 7 and also years ago

Cool, Firefox now implemented HTTP upload! https://blog.mozilla.org/blog/2019/03/12/introducing-firefox-send-providing-free-file-transfers-while-keeping-your-personal-information-private/

Make sure you keep hold of your license key

Ge0rG: nice

Ge0rG, at what servers get those files uploaded?

the Firefox cloud servers!

firefox has DoH implemented too I think

just not on by default, yet

Ge0rG, wow such private, much security

Why does Firefox Send require JavaScript? Firefox Send uses JavaScript to: Encrypt and decrypt files locally on the client instead of the server. Render the user interface. Manage translations on the website into various different languages. Collect data to help us improve Send in accordance with our Terms & Privacy. <------- PRIVACY

I was going to say firefox *probably* encrypts locally, that's how their sync stuff works, it's pretty good

unlike google who's entire business model is scraping all your info

so far google's business model works better 😀

for google, not for users :)

right, that's _google's_ business model, not yours 😀

but collecting data?

"we collect your DNA to improve our DNA analyzer"

send us your nudes to help us protect them! #facebook

i hate the "are you a human" google things because you are helping them train their AI bots for free

they should pay me for doing that

they "pay" you by allowing you to access content \o/ (sarcasm)

well these things are often used by non-google sites

but yeah i catch your drift ☺

there was a planet money where they talked about the inequity between what google makes per user and what they give that user for that data

iirc, google makes something around $1200 per year per user

and in exchange, that user gets… e-mail

anyways, they interviewed some economist who thinks that someone will eventualyl start to pay users to use the services, in actual cash

to compete

the only problem is it that it would require enormous capital to compete with google, and you'd be competing by undercutting them, which requires even more enormous capital

well, "only" problem

there's also the network effect too of course

"also"

Imagine they'd be good at doing social.

Google? Haven't they repeatedly failed at "social" things?

bowlofeggs, paying money to users is a huge taxing problem, especially when users come from many different countries, not sure how the tax will be administered in any particular country

true

so yeah, lots of problems ☺

but the larger point was that users are not getting a good deal

they have plenty of users using them for free...

I don't honestly know the solution there, it's easy enough for me to run xmpp+email etc for family, but if I get hit by a bus they'll all move back to gmail for sure :'(

at least until my kids get older and I train them >:)

well you could pay a company to host you, that has acceptable ToS

the key is that the company should make money from being paid for the service, instead of making money by selling data

obvs, you have to trust them too

but even if you self host, you have to trust the vendors for the software and hardware you use to do that

so you can't escape trust, it's just a matter of where you want to draw the line

Zash: my point?

i personally self host, but it's more because i find it kind of satisfying

also legally at least in the USA if your data is on a 3rd party server, the govt can access it any time without a warrant or notice, for any reason

it's sort of the proof of how cool open source software is ☺

moparisthebest, indeed

https://en.wikipedia.org/wiki/Third-party_doctrine

so just from a principle point of view, you have to self-host on a server in your house :'(

hey guys, anyone ready for our member meeting?

Hey!

O/

been waiting for it all day

LOL

okay

here is our Agenda for today: https://wiki.xmpp.org/web/Meeting-Minutes-2019-03-12

1) Call for Quorum

as you can see 31 members voted via memberbot. So we have a quorum

2) Items Subject to a Vote

new and returning members. You can see all applicants here: https://wiki.xmpp.org/web/Membership_Applications_Q1_2019

3) Opportunity for XSF Members to Vote in the Meeting

anyone here who has not voted yet and wants to vote here in the meeting?

looks like nobody want to vote in the meeting

then I can start counting and work on the result

4) Announcement of Voting Results

When you reload the page you can see the results: https://wiki.xmpp.org/web/Meeting-Minutes-2019-03-12#Announcement_of_Voting_Results

All applicants were accepted

All Reappliers except of Bartlomiej Gorny were accepted

Yay!

5) Any Other Business?

Thanks!

and congrats to everyone ;-)

Congrats to everyone but the person who didn't fill out the application

6) Formal Adjournment

I motion that we adjourn

👍

Seconded

Thank you once again, Alex

I am travelling right now. Willl send out the minute sand create the application page for the next quarter asap

Alex: thanks, safe travels!

Thanks, Alex.

Weee thanks :D Happy to be an official member now!

Welcome to the dark side

Welcome to the sharp side, here's your angles: <<<<<

Zash: we also need the closing ones!

Just turn them around! :)

Syndace: Welcome :)

> All applicants were accepted 🤣🤣🤣

Interesting blog post + comments (hi Zash)

news.ycombinator.com/item?id=19370281

Surprisingly positive about (and reminiscent of) XMPP.

Represented by pidgin.

Kev, my server tells me your cert expired