XSF Discussion - 2019-08-17


  1. Lance has joined

  2. Nekit has left

  3. Lance has left

  4. UsL has left

  5. wurstsalat has left

  6. jcbrand has left

  7. UsL has joined

  8. Lance has joined

  9. Dele (Mobile) has left

  10. Dele (Mobile) has joined

  11. Dele (Mobile) has left

  12. adityaborikar has joined

  13. UsL has left

  14. Lance has left

  15. arc has left

  16. arc has joined

  17. UsL has joined

  18. lskdjf has left

  19. Lance has joined

  20. Lance has left

  21. Chobbes has left

  22. Lance has joined

  23. neshtaxmpp has joined

  24. Chobbes has joined

  25. pdurbin has joined

  26. Lance has left

  27. Lance has joined

  28. adityaborikar has left

  29. adityaborikar has joined

  30. Lance has left

  31. kokonoe has left

  32. kokonoe has joined

  33. pdurbin has left

  34. pdurbin has joined

  35. Yagiza has joined

  36. Lance has joined

  37. Chobbes has left

  38. david has left

  39. Lance has left

  40. pdurbin has left

  41. pdurbin has joined

  42. david has joined

  43. karoshi has joined

  44. Lance has joined

  45. Lance has left

  46. Lance has joined

  47. pdurbin has left

  48. aj has joined

  49. kokonoe has left

  50. kokonoe has joined

  51. Lance has left

  52. neshtaxmpp has left

  53. Lance has joined

  54. neshtaxmpp has joined

  55. moparisthebest has left

  56. moparisthebest has joined

  57. adityaborikar has left

  58. adityaborikar has joined

  59. jcbrand has joined

  60. Lance has left

  61. Douglas Terabyte has left

  62. sezuan has joined

  63. sezuan has left

  64. sezuan has joined

  65. sezuan has left

  66. sezuan has joined

  67. sezuan has left

  68. sezuan has joined

  69. sezuan has left

  70. sezuan has joined

  71. sezuan has left

  72. sezuan has joined

  73. sezuan has left

  74. sezuan has joined

  75. sezuan has left

  76. sezuan has joined

  77. sezuan has left

  78. sezuan has joined

  79. sezuan has left

  80. sezuan has joined

  81. aj has left

  82. sezuan has left

  83. sezuan has joined

  84. sezuan has left

  85. sezuan has joined

  86. sezuan has left

  87. sezuan has joined

  88. sezuan has left

  89. sezuan has joined

  90. sezuan has left

  91. sezuan has joined

  92. sezuan has left

  93. sezuan has joined

  94. arc has left

  95. arc has joined

  96. sezuan has left

  97. sezuan has joined

  98. sezuan has left

  99. sezuan has joined

  100. sezuan has left

  101. sezuan has joined

  102. sezuan has left

  103. sezuan has joined

  104. sezuan has left

  105. sezuan has joined

  106. pdurbin has joined

  107. sezuan has left

  108. sezuan has joined

  109. sezuan has left

  110. sezuan has joined

  111. sezuan has left

  112. sezuan has joined

  113. sezuan has left

  114. sezuan has joined

  115. sezuan has left

  116. sezuan has joined

  117. sezuan has left

  118. sezuan has joined

  119. sezuan has left

  120. sezuan has joined

  121. sezuan has left

  122. sezuan has joined

  123. sezuan has left

  124. sezuan has joined

  125. sezuan has left

  126. sezuan has joined

  127. sezuan has left

  128. sezuan has joined

  129. sezuan has left

  130. sezuan has joined

  131. pdurbin has left

  132. sezuan has left

  133. sezuan has joined

  134. sezuan has left

  135. sezuan has joined

  136. sezuan has left

  137. sezuan has joined

  138. sezuan has left

  139. sezuan has joined

  140. sezuan has left

  141. sezuan has joined

  142. sezuan has left

  143. sezuan has joined

  144. sezuan has left

  145. sezuan has joined

  146. neshtaxmpp has left

  147. andy has joined

  148. lumi has joined

  149. sezuan has left

  150. sezuan has joined

  151. kokonoe has left

  152. sezuan has left

  153. sezuan has joined

  154. kokonoe has joined

  155. sezuan has left

  156. sezuan has joined

  157. lumi has left

  158. sezuan has left

  159. sezuan has joined

  160. sezuan has left

  161. sezuan has joined

  162. sezuan has left

  163. sezuan has joined

  164. sezuan has left

  165. sezuan has joined

  166. sezuan has left

  167. sezuan has joined

  168. sezuan has left

  169. sezuan has joined

  170. sezuan has left

  171. sezuan has joined

  172. sezuan has left

  173. sezuan has joined

  174. sezuan has left

  175. sezuan has joined

  176. Mikaela has joined

  177. LNJ has joined

  178. sezuan has left

  179. j.r has joined

  180. sezuan has joined

  181. sezuan has left

  182. sezuan has joined

  183. sezuan has left

  184. sezuan has joined

  185. mimi89999 has joined

  186. sezuan has left

  187. sezuan has joined

  188. j.r has left

  189. sezuan has left

  190. sezuan has joined

  191. sezuan has left

  192. sezuan has joined

  193. sezuan has left

  194. sezuan has joined

  195. sezuan has left

  196. sezuan has joined

  197. sezuan has left

  198. sezuan has joined

  199. sezuan has left

  200. sezuan has joined

  201. sezuan has left

  202. aj has joined

  203. mimi89999 has left

  204. mimi89999 has joined

  205. waqas has left

  206. waqas has joined

  207. neshtaxmpp has joined

  208. j.r has joined

  209. wurstsalat has joined

  210. karoshi has left

  211. karoshi has joined

  212. pdurbin has joined

  213. kokonoe has left

  214. kokonoe has joined

  215. j.r has left

  216. j.r has joined

  217. pdurbin has left

  218. alameyo has left

  219. alameyo has joined

  220. lskdjf has joined

  221. alameyo has left

  222. alameyo has joined

  223. j.r has left

  224. j.r has joined

  225. Dele (Mobile) has joined

  226. goffi has joined

  227. Steve Kille has left

  228. vanitasvitae has left

  229. Steve Kille has joined

  230. vanitasvitae has joined

  231. j.r has left

  232. alameyo has left

  233. alameyo has joined

  234. aj has left

  235. neshtaxmpp has left

  236. waqas has left

  237. aj has joined

  238. Nekit has joined

  239. Steve Kille has left

  240. j.r has joined

  241. adityaborikar has left

  242. neshtaxmpp has joined

  243. UsL has left

  244. Dele (Mobile) has left

  245. Dele (Mobile) has joined

  246. j.r has left

  247. adityaborikar has joined

  248. pdurbin has joined

  249. j.r has joined

  250. pdurbin has left

  251. Steve Kille has joined

  252. kokonoe has left

  253. Lance has joined

  254. kokonoe has joined

  255. lovetox_ has joined

  256. lovetox_ has left

  257. pdurbin has joined

  258. Dele (Mobile) has left

  259. Dele (Mobile) has joined

  260. Steve Kille has left

  261. Dele (Mobile) has left

  262. Dele (Mobile) has joined

  263. Dele (Mobile) has left

  264. Dele (Mobile) has joined

  265. eevvoor has joined

  266. Lance has left

  267. rion has left

  268. rion has joined

  269. Steve Kille has joined

  270. pdurbin has left

  271. Dele (Mobile) has left

  272. Dele (Mobile) has joined

  273. adityaborikar has left

  274. Chobbes has joined

  275. adityaborikar has joined

  276. kokonoe has left

  277. adityaborikar has left

  278. kokonoe has joined

  279. Dele (Mobile) has left

  280. neshtaxmpp has left

  281. Dele (Mobile) has joined

  282. adityaborikar has joined

  283. lovetox

    it is getting ridicoulous with disco info

  284. lovetox

    i just added a feature, and this triggered hundreds of disco info requests

  285. lovetox

    this behavior is not scaleable

  286. lovetox

    we should do something about that

  287. Alex has left

  288. jonas’

    server-side caps optimization

  289. Chobbes has left

  290. admin1234 has joined

  291. ralphm

    lovetox: what's the use case?

  292. rion has left

  293. rion has joined

  294. adityaborikar has left

  295. Dele (Mobile) has left

  296. admin1234

    cineva roman pe aici ?

  297. admin1234

    Daniel esti roman ?

  298. admin1234

    david esti roman ?

  299. admin1234

    admin1234 test

  300. admin1234

    Kev help my please

  301. admin1234 has left

  302. Nekit has left

  303. Nekit has joined

  304. Yagiza has left

  305. mimi89999 has left

  306. adityaborikar has joined

  307. lovetox

    ralphm, im not sure what you mean

  308. lovetox

    not getting ddos'ed when you join some mucs?

  309. Ge0rG

    There is an experimental prosody module that will cache and auto deliver the disco#info for local clients.

  310. Ge0rG

    Unfortunately it's full of race conditions and/or doesn't work on prosody stable.

  311. ralphm

    lovetox: I didn't understand what you meant by you having added a feature.

  312. ralphm

    But now I do

  313. lovetox

    ralphm, its even worse

  314. Ge0rG

    lovetox: it's also the cause of a significant number of mobile wakeups, because there are also clients that join after you.

  315. lovetox

    because of a unfortunate example in the disco spec

  316. lovetox

    client add version numbers under the identity name attr

  317. lovetox

    means every new version of that client, you get spammed with disco info

  318. lovetox

    even though nothing changed about the caps

  319. Zash

    This is why I'm sceptical of version numbers in disco/caps

  320. lovetox

    in my opinion they should not be there, and nothing mandates that a version number has to be there

  321. lovetox

    its just devs put it there because its in one example i think

  322. lovetox

    we have 0092 for version

  323. lovetox

    there is no need to put this in disco info

  324. Zash

    Yeah. How often do you really need their version number?

  325. lovetox

    if i need it i request it

  326. lovetox

    of course it would be nice to have it in there, but the costs outweigh the benefits

  327. mimi89999 has joined

  328. lovetox

    and yeah i really almost never need the version number

  329. lovetox

    only if i display some details screen of the contact

  330. lovetox

    and if i open that its totally fine to send a 0092 request

  331. adityaborikar has left

  332. Ge0rG

    lovetox: you could submit a PR fixing the example

  333. pdurbin has joined

  334. debacle has joined

  335. adityaborikar has joined

  336. pdurbin has left

  337. ralphm

    But then it would have to come with a note to discourage the version?

  338. Lance has joined

  339. eevvoor

    lovetox does in gajim exist a bookmark export? jabber.de lost all bookmarks of some users during a downgrade in july I think. In Berlin_me

  340. eevvoor

    lovetox does in gajim exist a bookmark export? jabber.de lost all bookmarks of some users during a downgrade in july I think. In Berlin's Meetup MUC was discussed that so such export exists yet.

  341. ralphm

    Also, I think in practice this isn't as much of an issue: the hash is cached for all users, so only the very first encounter of a new hash will cause a disco request.

  342. ralphm

    As a developer, yeah, that might be less nice.

  343. Daniel

    I think lovetox gets the worst of it because he is the one to first have a new hash

  344. Daniel

    But I've made a note to remove the version from Conversations' cache

  345. ralphm

    From disco info, you mean?

  346. wurstsalat

    eevvoor, there was a plugin once, but it didn't get ported to 1.0 I think

  347. adityaborikar has left

  348. eevvoor

    wurstsalat, ah that is not long ago. cool, so there is something to build on.

  349. Daniel

    ralphm: yes

  350. ralphm

    lovetox: which example is it?

  351. wurstsalat

    eevvoor, https://dev.gajim.org/gajim/gajim-plugins/tree/gajim_0.16/offline_bookmarks

  352. eevvoor

    thx wurstsalat

  353. adityaborikar has joined

  354. Nekit has left

  355. Nekit has joined

  356. j.r has left

  357. Nekit has left

  358. neshtaxmpp has joined

  359. j.r has joined

  360. lovetox

    ralphm, https://xmpp.org/extensions/xep-0115.html#howitworks

  361. lovetox

    scroll a bit down

  362. Lance has left

  363. lovetox has left

  364. lovetox has joined

  365. lovetox

    yeah and i guess as developer im getting the worst of it

  366. lovetox

    but in Gajim exist plugins that alter the disco info to announce support for some feature

  367. aj has left

  368. aj has joined

  369. lovetox

    But either way a server caching disco infos would be great

  370. lovetox

    i dont see any drawbacks

  371. Lance has joined

  372. curen has joined

  373. pdurbin has joined

  374. Ge0rG

    lovetox: race conditions when you change the caps at runtime

  375. lovetox

    do you have an example?

  376. lovetox

    i dont see a problem there, server gets a request for a hash, either he has it then he answers, or not then he routes the IQ

  377. Zash

    You're supposed to include the caps hash in the @node when querying, so that should be detectable

  378. Ge0rG

    Zash: some clients ignore that @node

  379. lovetox

    Ge0rG, how is this relevant?

  380. Zash

    "Some clients are broken"

  381. Ge0rG

    And IIRC we have the issue that the node value can be gamed

  382. lovetox

    ok you lost me

  383. Ge0rG

    Where's caps 2.0 when you need it

  384. Lance has left

  385. pdurbin has left

  386. Ge0rG

    lovetox: https://xmpp.org/extensions/xep-0390.html

  387. Ge0rG

    https://mail.jabber.org/pipermail/security/2009-July/000812.html

  388. Zash

    https://modules.prosody.im/mod_inject_ecaps2.html

  389. Ge0rG

    The implication is that you must not use the cache across JIDs

  390. ralphm

    Screw that

  391. jonas’

    Ge0rG, huh? with XEP-0390 it should be safe, no?

  392. ralphm

    The whole idea of CAPS is that the hash is not related to the JID

  393. Ge0rG

    jonas’: I think so. Did you ask waqas yet?

  394. Zash

    What would you gain by such an attack anyways?

  395. Yagiza has joined

  396. UsL has joined

  397. Ge0rG

    ralphm: the JID is the security boundary in this case

  398. jonas’

    Ge0rG, I did

  399. Ge0rG

    jonas’: did he answer?

  400. jonas’

    I don’t recall

  401. Ge0rG

    The XSF needs a new seal of approval, "Verified by waqas"

  402. lovetox

    there is not a single security relevant feature in disco info that comes to mind, that usual clients currently use

  403. lovetox

    and 0390 is save against all the attacks mentioned?

  404. jonas’

    it should betm

  405. jonas’

    at least as long as we stay on XML 1.0 :)

  406. debacle has left

  407. UsL has left

  408. lovetox

    from a quick read, it seems not much work client side

  409. kokonoe has left

  410. kokonoe has joined

  411. flow

    jonas’, what happens if we don't stay xml 1.0?

  412. Ge0rG

    flow: is there ecaps2 support in smack yet?

  413. j.r has left

  414. jonas’

    flow, then the control characters used as separators become valid codepoints in XML (1.1) character data and are thus unsuitable as separators :)

  415. jonas’

    (for the hash function input)

  416. Zash

    Then what? DER?

  417. Zash

    Or other TLV-ish thing?

  418. jonas’

    prefix them with NUL should be safe

  419. Dele (Mobile) has joined

  420. Ge0rG

    Is NUL illegal in XML 1.1? I anticipate that class of bugs.

  421. lovetox

    jonas’, why do we need a separator?

  422. lovetox

    its not like we are parsing the string we create again later

  423. Ge0rG

    No, but if you can create ambiguity, you can poison the cache with junk data

  424. lovetox

    ah i get it

  425. lovetox

    hm

  426. adityaborikar has left

  427. lovetox

    but then it seems better to take < as separator but make sure every value

  428. lovetox

    as it will always be illigal as a value

  429. jonas’

    lovetox, < can easily be contained in form field values

  430. lovetox

    only as lt or?

  431. lovetox

    not as <

  432. jonas’

    lovetox, not to your application.

  433. jonas’

    Ge0rG, yes, NUL is illegal in XML 1.1

  434. jonas’

    lovetox, we need to look at the codepoint representation, not at the wireformat. the wireformat *could* be littered with &#number;-based escape codes creating *lots* of ambiguity and breaking the hashes. not to mention that many XML libraries won’t even give you access to that.

  435. lovetox

    you mean the lib converts &lt; to < before you have access to it?

  436. lovetox

    yes this would be a problem

  437. jonas’

    I sure hope the library does that, just like I sure hope that it does the reverse path

  438. lovetox

    never thought about it, it just works :D

  439. lovetox

    but yes i think it does also in my case

  440. j.r has joined

  441. jonas’

    so, yeah, you need to use a codepoint (or sequence of codepoints) which is invalid in XML character data as separator

  442. jonas’

    go-to approach which is safe for XML 1.1 would be NUL + something

  443. aj has left

  444. Douglas Terabyte has joined

  445. Mikaela has left

  446. Mikaela has joined

  447. Mikaela has left

  448. Mikaela has joined

  449. Nekit has joined

  450. goffi has left

  451. ralphm

    I think it is unlikely we'd ever switch to 1.1.

  452. matlag has left

  453. jonas’

    me too

  454. eve has left

  455. eve has joined

  456. neshtaxmpp has left

  457. Alex has joined

  458. neshtaxmpp has joined

  459. pdurbin has joined

  460. arc has left

  461. arc has joined

  462. curen has left

  463. pdurbin has left

  464. sezuan has joined

  465. sezuan has left

  466. j.r has left

  467. sezuan has joined

  468. Ge0rG

    jonas’: could you make ecaps2 future proof by prepending NUL to each separator?

  469. dele2 has joined

  470. waqas has joined

  471. Dele (Mobile) has left

  472. dele2 has left

  473. Yagiza has left

  474. Yagiza has joined

  475. goffi has joined

  476. Dele (Mobile) has joined

  477. sezuan has left

  478. sezuan has joined

  479. sezuan has left

  480. sezuan has joined

  481. alameyo has left

  482. alameyo has joined

  483. Dele (Mobile) has left

  484. Dele (Mobile) has joined

  485. kokonoe has left

  486. kokonoe has joined

  487. sezuan has left

  488. jonas’

    Ge0rG, it’s in the queue

  489. Dele (Mobile) has left

  490. jonas’

    I might actually have the diff somewhere

  491. Yagiza has left

  492. Daniel has left

  493. Daniel has joined

  494. j.r has joined

  495. pdurbin has joined

  496. pdurbin has left

  497. kokonoe has left

  498. kokonoe has joined

  499. eevvoor has left

  500. j.r has left

  501. j.r has joined

  502. xnamed has joined

  503. Chobbes has joined

  504. xnamed has left

  505. xnamed has joined

  506. j.r has left

  507. Chobbes has left

  508. Chobbes has joined

  509. j.r has joined

  510. kokonoe has left

  511. madhur.garg has left

  512. Chobbes has left

  513. Chobbes has joined

  514. Chobbes has left

  515. Chobbes has joined

  516. goffi has left

  517. kokonoe has joined

  518. madhur.garg has joined

  519. Chobbes has left

  520. Chobbes has joined

  521. Chobbes has left

  522. Chobbes has joined

  523. Chobbes has left

  524. Chobbes has joined

  525. Chobbes has left

  526. Chobbes has joined

  527. adityaborikar has joined

  528. pdurbin has joined

  529. j.r has left

  530. dele3 has left

  531. pdurbin has left

  532. rion has left

  533. Chobbes has left

  534. valo has left

  535. valo has joined

  536. lovetox has left

  537. larma has left

  538. kokonoe has left

  539. larma has joined

  540. kokonoe has joined

  541. Alex has left

  542. Alex has joined

  543. larma has left

  544. larma has joined

  545. wurstsalat has left

  546. karoshi has left

  547. Chobbes has joined

  548. murabito has left

  549. Tobias has left

  550. murabito has joined

  551. moparisthebest has left

  552. moparisthebest has joined

  553. Chobbes has left

  554. Nekit has left

  555. lskdjf has left

  556. pdurbin has joined

  557. jcbrand has left