XSF Discussion - 2020-02-18

XMPP over XMPP

Ge0rG, out-of-band ✏

jonas’: you still have three weeks to reapply!

jonas’: if you come to the meetup on Thursday I can remind you oob

Ge0rG, no? reapplications close on Feb 23rd

Daniel, that’d mean leaving the house

I suppose

jonas’: I'm sorry, you are right

nice try to get me kicked out of council! ;)

Heh

jonas’: not just you! :P

https://github.com/xsf/xmpp.org/pull/679 Anybody with superpowers to review plz? :)

> The next Summit will happen next year. 😁

Have you hear that the BND is financing open source projects with 5000€ similar to GSoC?

Yes.

That's the German Foreign Intel agency?

emus: yeah

dwd: yes

Ge0rG, I'm very hopeful!

I suppose it's possible that XMPP projects would be favoured there.

dwd: the ones that were "recently" uncovered to have backdoored Crypto AG

(the involvement was known since 1997, but apparently it's big news in 2020)

Ge0rG, Hah. That's such an old story, and moreover a repeated pattern that's been occurring since after WW2.

dwd: indeed

> BND financing open source projects > OMEMO:2 incoming > 🤔

Ge0rG, First case I'm aware of is the UK selling Enigma systems post-war. However, I have a suspicion that there's a similar case after the Napoleonic wars.

edhelas, conspiracy!

Daniel is an undercover agent

edhelas, I'm not sure that would be relevant. It's unclear to me if that would fit the threat model. ✏

oops

edhelas, In particular, BND presumably do trust their server, and probably more than the mobile devices used in the field.

edhelas: shhhh

Curious to know if there's anything you can do to prevent messages leaking once a terminal is compromised :x (as long as it's not known to be)

pep., It's more that if you think a device might be compromised, with OMEMO/Signal/etc the device has a cleartext archive, whereas without it won't and you can cut access to the server-side archive.

without what e2ee it won't have a cleartext archive?

I'm not sure I understand

You mean the client won't explicitely store locally?

pep., For example, with WhatsApp, the device stores a database of all the message history.

pep., Whereas with Pando (for example) we explicitly don't, and instead pull that from the server.

That doesn't mean it doesn't see the cleartext messages

pep., Sure. But there's a matter of the effect of a compromise post-discovery.

(you kinda have to, I don't have bionic e2ee-capable eyes)

pep., The question isn't who and what device can see the messages. The question is where the archive is kept at rest.

Well this assumes you have any doubts

pep., Well, only in as much as if someone compromises a device without your knowing all bets are off no matter what you do.

what I said above :)

pep., So not much point in considering that case. Instead, consider the cases where endpoint compromise is known.

pep., And decide which you think is the greater risk - for some, that'll be the server being compromised, for others, the client. Which you feel is the bigger risk means you might want OMEMO-style encryption or not.

Sure there's a point in considering it as well. It's certainly a lot easier to get a hold of a user terminal when that user is targetted. When the user is not targetted directly and people are just interested in data, it's probably faster to try and compromise the server and I bet there's lots of servers not that good security-wise

pep., Right, but for a foreign intel agency, I would suspect the risk of a compromised client is probably higher.

pep., Same for us, actually. I believe the risk of a community nurse leaving their phone in a patient's house is higher than someone breaking into our servers.

pep., But that won't be the same for everyone, of course.

Who knows.. One would hope they employ capable people and they give them the freedom to act ✏

Myeah, forgetting my phone somewhere does seem more likely than someone breaking into my server room and/or server.

Zash, But if you ran your server for thousands of people, the risk profile might change. ✏

Zash, For you, if not for your users.

I don't, so my users == { me }

My best understanding of why WhatsApp have encryption is to protect themselves from subpoena activity, not for security for their users as such.

Makes sense.

vanitasvitae, Ge0rG: I mean lets take away their money - modern problems need modern solutions :)

dwd: it has helped very much, hasn't it? https://www.reuters.com/article/us-facebook-brazil/facebook-executive-jailed-in-brazil-as-court-seeks-whatsapp-data-idUSKCN0W34WF

Open reuters > Get visually agressed by cookies' consent bs > Manage consent > JS error..

I have a similar extension but I still get their annoying popup

I have a little request, can you open: https://nl.movim.eu/?feed/pubsub.movim.eu/Movim When you click on the publication titles, have you the publication or other?

I get prompted to download the atom feed

Firefox?

Yes

I'm not sure browsers parse this correctly anymore.. curl tells me "content-type: application/atom+xml; charset=UTF-8" so that's correct right?

Thanks guys, you have confirmed the problem to edhelas, I am not alone ;)

Neustradamus, I'd say your client is the issue. Use a proper feed reader

the problem is that the feed reader is not taking the alternate + text/html

but only the first alternate, that is kinda an issue; so i'll fix that one

The problem is linked to (for example): </content> <link rel="enclosure" type="image/png" href="https://upload.movim.eu/files/9d94237298995552fa13436420195fbca436dce7/jDBsJ9BW7g66gCZ3G3ARICSq5T3dsAg9j75CnNOr/image.png"/> <link rel="alternate" href="https://upload.movim.eu/files/9d94237298995552fa13436420195fbca436dce7/jDBsJ9BW7g66gCZ3G3ARICSq5T3dsAg9j75CnNOr/image.png"/> <link rel="alternate" type="text/html" href="https://nl.movim.eu/?node/pubsub.movim.eu/Movim/87633da7-3963-4923-aabc-54ac5f6ad1d8"/> </entry>

edhelas, if that's a problem to you then then I think it's before that.

HTTP Headers

Neustradamus I actually told you 2min ago that I will fix the issue, why bothering the people here about that ?

edhelas: I sent here before you understand the problem

also, Atom implementation in Movim is definitly not a topic related to this chatroom

edhelas: I can not join the main mucroom ;)

yes you've been banned, for reasons one can understand

I know that some people do not like when we inform about problems, we can see a new time today. If no people inform, no solution ;)

Sometimes it's not about the information, but about the delivery

Reminder that the current application period ends by the end of this week. In case you want to appy, recruit someone to apply, or need to reapply: https://wiki.xmpp.org/web/Membership_Applications_Q1_2020 Thanks

jonas’: ^

Daniel is yours a haiku? 🙂

application done, thanks

jonas’, Any chance we can last call XEP-0345 again? I have no idea what happened to it last time. Board, BTW, not Council.

It's be voted in by board

Last board

pep., Has it? Showing as Proposed, currently.

I was the only one to answer the LC and board didn't take that into account anyway

I must’ve missed that one, can you dig up records?

pep., And LC ending over two years ago.

hmm when was that again..

again, many people aren't getting all mailing list posting because xsf's mailmain still breaks DKIM and SPF and therefore DMARC

I get maybe half of the emails sent to the list, it depends on the email settings of the sender

(please fix mailmain)

I love how those "anti spam" technologies break valid usecases while not preventing spam.

but yeah, we should probably get that fixed

why do I keep typing mailmain instead of mailman...

Those aren't anti-spam

AFAIK it involves: - Turn off the footer - Turn off the subject prefix - Enable the masquerading of From for DMARC-protected domains

so dmarc allows a pass if *either* SPF or DKIM passes, you can't not break SPF, so if you simply stop breaking DKIM that should fix everything

which yes, turn off footer and subject prefix

it will fix everything related to DMARC, but break the UX

make sure the List-Unsubscribe header is set, and you'll be golden

can we get a mailman admin, please?

What are the cons again of validating dkim at the mailing list level and having the mailing list then do dkim itself? Not being able to validate end-to-end?

cc @ MattJ

pep., the cons are that it doesn’t help

how so

(also, operational cost)

pep., you still break the DKIM signature of the original sender

Just masquerade the Sender and be done with it

You remove it even. The list signs itself

you can do that too ^

I mean, instead

pep., and then the receiver looks up the DMARC record and sees that there should be a signature for that sender

jonas’, the sender being the list?

depends

I always get confused with Sender vs. MAIL-FROM vs. From:

and also Return-Path

From is purely metadata, you can put whatever you want there

Well Return-Path is the list here, and I'd put both enveloppe and the other as the list anyway and sign with the list.

!= routing data

pep., requires setting up and maintaining a DKIM thing though

If I want to validate who sent what I'd use normal gpg signing

pep., yeah, tell that please to the DKIM idiots

not what I'm saying

pep.: Footers can break gpg tho

Zash, they’re attached as separate text/plain part

Right. Not on every list tho.

I always assume DKIM allows us to validate point-to-point. I'd expect the list to do the validation always, not a host at the other end of the chain

*mumble* Google Groups

assumed*

I get people have opinions re: DKIM/SPF/DMARC but that's not really relevant, they are a thing most email providers implement, and if we want most people to be able to recieve mail to the list, it has to be fixed

moparisthebest, yeah, help me get hands on a mailman admin

moparisthebest, yeah I'm proposing a practical solution :p

pep., setting up and maintaining OpenDKIM is *not* practical

(on the XSF resource budget either way)

semantics

Meaning I'm not just talking about protocols because I like to talk about protocols

(I run rspamd which does DKIM+SPF+DMARC+spam stuff automatically, and is easier to set up than opendkim+spf+spamassassin+amavisd+everything else)

I love especially how rspamd depends on redis, but doesn’t support redis clusters.

but beside the point, there are basically 2 ways it can be fixed: 1. stop breaking DKIM signatures (don't add footer or mangle subject) 2. send from xmpp domain instead

the XSF mail server *should* already be validating dmarc/dkim/spf or it can be used to forward unauthorized mail/spam

does anything actually stop me from sending mail as a board member to a board-only mailing list?

moparisthebest, this is a question I’ve been asking myself for quite some time and which I wanted to pen-test after having asked board, but I never got around to actually do that.

what's the official way to get that on the board's agenda as a question?

send a message to board@

someone will hopefully fish it out of the moderation queue

moparisthebest, "as a board member"?

aside from that I may still have +w on the board trello, or you can ask pep. who’s on board, too.

I don't think you can send stuff to board@ if you're not subscribed can you?

pep., like, impersonating your email for instance

pep., but the subscription only checks From

(or maybe Sender)

ah I see

We're not using board@ anyway, and I don't like it

and if it doesn't do dkim/dmarc/spf or something, then I can happily send "official board emails" from ralphm or pep. or whoever

So you can send what you want. Plus I always sign my emails :P

email from is not to be trusted. news at 11.

yeah

right, and all those are terrible hacks to add authentication to it :/

yes

it's getting better, but hacking that on after the fact is rough

also ARC incoming...

http://arc-spec.org/ ^

dwd, MR 20190307T15:16:48Z 000 <ralphm>  motion carries. Let the Editors go through to the mechanics to move XEP-0345 to Active.

http://logs.xmpp.org/xsf/2019-03-07#2019-03-07-e58b19e060a046e8

I was looking for that

ah, that’s clearly my fault

fixing that now

It's indeed not been processed by editors, but I wouldn't go as far as saying it's your fault. There are many other editors :x

were there back then though?

No, but there are others

reminds me to ask board to clean up editor membership

yeah

I abused my privileges to create https://trello.com/c/8Q5XQWks/388-clean-up-editor-team-memberships

how dare you

Thanks, looks good

I always sign my emails too - I put "Dave." at the bottom.

Indeed. Just like signatures we use on legally binding documents, it's been proven it works very well

(I had a hard time making it less sarcastic)

Subject: [Standards] ACTIVE: XEP-0345 (Form of Membership Applications)

there we go

Thanks :)

ah, I need to re-last-call '402

dwd, the example in 402 for publish options is not the best

you use max_items = 10000

if you are a new client and there are existing bookmarks, this results 99% in a failed publish

lovetox, PRs welcome. I didn't actually write that one, I think Link Mauve did (he actually wrote most of that spec at this point, we should make him an author).

Yeah I think that probably predates the max thing in pubsub

ah k, yeah we should change that, there is a new max-items=max in pbusub

though this probably also will fail, because no server supports that yet

And having a 'magic' number was the best we good do before

Ugh

Yes 'atomic bookmarks in pep' probably just depends on max being supported

Which should be mentioned somewhere

has the "max" bike shedding settled yet?

Daniel, "PEP Native Bookmarks". I bikeshedded the name a bit further.

IIRC there was a revamp by server developers who objected because "max" is not a valid integer

dwd, though I consider that name slightly confusing

I plan to bikeshed on that one

Yes you can name it whatever you want as long as it's called atomic bookmarks in pep

Daniel, NUCLEAR BOOKMARKS

QUANTUM BOOKMARKS

That's a compromise I can live with

http://www.quickmeme.com/img/ab/ab32ca63f3cf210c253a92780beda430d37b32bc0cc9e8a9856d1c2f72d8b56a.jpg

Did we have "Schrödinger's Bookmarks" yet?

Ge0rG, Heisenberg's Bookmarks? You know how to store them or what they are, but not both?

dwd: I appreciate that. +1

Also what's the dance I need to perform to determine whether PEP on my server is persistent?

(as in: stored to disk, not to RAM)

I think there is a feature

> dwd has written: > edhelas, In particular, BND presumably do trust their server, and probably more than the mobile devices used in the field. Trusting the server does not seem like a viable threat model ever

Ge0rG, `#persistent-items` maybe?

I'd like the max_items=max thing to be settled so that we can actually use the feature :x

But muh validation code :(

I wouldn't be opposed to make `-1` the new max.

I'll let you bikeshed the thing, I just need the feature

because max_items=0 can obviously mean "you shall not pass", but -1 is actually something like "unlimited" in computerese

But I suppose the author is already fed up with the unicode discussion

Ellenor Malik, At all? Ever? I trust my server because it's in the same room as me right now, and only I have access.

Never ever.

Ellenor Malik, For anything?

dwd: but you are not always in that room, are you?

Ge0rG, Pretty much. :-)

dwd: I've heard rumors of you being in Brussels and not having your server room around you

Ge0rG, Lies.

Ge0rG, And/or a clone.

maybe your server is an evil twin now.

"Only I have access." Only true if you built the processor, hard disk, and everything yourself.

or maybe the evil twin was in Brussels indeed, and told people embarassing stories about the origins of your name ✏

Ellenor Malik, so you can’t trust the client either. Your argument is invalid.

Ellenor Malik, OK, but the same goes for your client device, so you're saying nobody can trust anything, and we may as well all go home.

^5, dwd

> jonas’ has written: > Ellenor Malik, so you can’t trust the client either. Your argument is invalid. to be clear, the first part does not imply the second part

it's best to trust as few links as possible

Ellenor Malik, Yes, I agree, keep the attack surface low etc. I just suggested that there were cases where the risk to the client device was higher than the risk to the server.

Ellenor Malik, Certainly not true in all cases.

encrypt everything to the best of your ability

Ellenor Malik, Encryption doesn't solve any problems, though, it just moves problems around.

If the BND can't trust their servers they probably have bigger issues

Daniel, Right, that.

Daniel, Well. Actually it's not that simple. But they probably trust the server more than the clients at least.

assuming you can partially trust the endpoints, encryption makes problems smaller

Ellenor Malik, "it depends"

on the making problems smaller part

Also something something accountability

Ellenor Malik, No, I disagree. The BND might not even trust its *users* as much as its server.

what is the idea behind

<conference xmlns='urn:xmpp:bookmarks:1'/> is a valid bookmark?

why would someone publish this, and what should i do with that if i receive it

lovetox, The pubsub item id gives you the jid, remember.

ahh

kk thanks

lovetox, So probably quite obvious if you actually see it in the wild.

vanitasvitae: (re: a/v) not even an Android phone or any laptop with internet and jitsi meet?

moparisthebest: we could try that, but I doubt it will be as good as Cisco's teleconferencing.

WebEx is considered good???? Yikes

We'll see if we come up with something on site :)