jonas’, thanks for the lengthy and detailed response about Reminders. I really appreciate it
jonas’
you’re welcome
pdurbinhas joined
etahas left
etahas joined
remkohas left
strypeyhas left
strypeyhas joined
pdurbinhas left
LNJhas left
Steve Killehas left
Steve Killehas joined
remkohas joined
debaclehas left
mukt2has joined
Marandahas left
Steve Killehas left
lorddavidiiihas left
remkohas left
lorddavidiiihas joined
Marandahas joined
lorddavidiiihas left
remkohas joined
lorddavidiiihas joined
mukt2has left
strypeyhas left
remkohas left
lskdjfhas left
lskdjfhas joined
eevvoorhas left
remkohas joined
remkohas left
remkohas joined
mimi89999has joined
remkohas left
etahas left
Jeybehas left
remkohas joined
Jeybehas joined
Half-Shot[m]has left
pdurbinhas joined
pdurbinhas left
pdurbinhas joined
etahas joined
Steve Killehas joined
mukt2has joined
lorddavidiiihas left
mimi89999has left
lorddavidiiihas joined
mukt2has left
mimi89999has joined
eevvoorhas joined
raghavgururajanhas joined
Marchas left
Marchas joined
andyhas left
LNJhas joined
Link Mauve
So, since I’m now doing an internship, I probably should change my member status.
Link Mauve
How can I do that?
Link Mauve
Also hi, I’m adding XEP-0284 support to Inkscape. o/
jonas’
Link Mauve, member status?
Link Mauve
jonas’, the employer thing.
jonas’
I just edit my wiki page
Link Mauve
I don’t have one yet. :-°
andyhas joined
Marchas left
flow
Link Mauve, yeah, xep284 is one of my all time favorites (along with the gobby protocol)
Link Mauve
What are the differences between them?
flow
you may want to compare those two from a protocl perspective, although the gobby one isn't that well documented IIRC
Link Mauve
Also with other protocols such as Etherpad’s or CryptPad’s?
flow
I have no idea which one is better. But it could be worth putting some research effort into a survey of the existing protocols for collaborative xml editing
Link Mauve
Yeah.
Link Mauve
And then merge all of the improvements into XEP-0284. :p
pdurbinhas left
lorddavidiiihas left
Douglas Terabytehas left
Douglas Terabytehas joined
lorddavidiiihas joined
raghavgururajanhas left
Half-Shothas left
Half-Shothas joined
lorddavidiiihas left
etahas left
lorddavidiiihas joined
raghavgururajanhas joined
lorddavidiiihas left
remkohas left
remkohas joined
Wojtekhas joined
raghavgururajanhas left
jonas’
stay away from etherpad
jonas’
it uses the broken JavaScript unicode model
jonas’
with UTF-16 everywhere.
moparisthebest
if you have to stay away from broken javascript that's like 99% of the web
moparisthebest
though now that you mention it, sounds kind of nice...
lorddavidiiihas joined
Ge0rG
I've heard there are still parts of the web that you can surf with noscript.
raghavgururajanhas joined
jonas’
s.j.n for example
jonas’
though you won’t get the fancy charts
Link Mauve
jonas’, I’m using XMPP, so UTF-8 everywhere.
jonas’
Link Mauve, the etherpad protocol data model assumes UTF-16
jonas’
so stay away from that
Link Mauve
Ok.
Ge0rG
nothing is wrong with UTF-16. It's only when you treat it as UCS-2 when things start going wrong.
j.rhas left
lorddavidiiihas left
lorddavidiiihas joined
remkohas left
lorddavidiiihas left
etahas joined
lorddavidiiihas joined
lorddavidiiihas left
j.rhas joined
lorddavidiiihas joined
remkohas joined
lorddavidiiihas left
lorddavidiiihas joined
lorddavidiiihas left
lorddavidiiihas joined
lorddavidiiihas left
lorddavidiiihas joined
Jeybehas left
Jeybehas joined
j.rhas left
j.rhas joined
lorddavidiiihas left
lorddavidiiihas joined
etahas left
etahas joined
pdurbinhas joined
Jeybehas left
Jeybehas joined
Nekithas left
Nekithas joined
lorddavidiiihas left
pdurbinhas left
lorddavidiiihas joined
lorddavidiiihas left
lorddavidiiihas joined
Steve Killehas left
moparisthebest
is https://xmpp.org/software/servers.html a pretty complete list still? does anyone know of widely deployed public servers not on this list?
Link Mauve
In the XEP schema, <dl/> is specified as only taking a list of <di/>, each containing a <dt/> and a <dd/>.
Link Mauve
The <di/> is not specified in XHTML AFAIK, why is it present here?
Zash
XEP ≠ XHTML tho
Link Mauve
But the XSLT transfers the <di/> to the generated HTML5.
Link Mauve
As is.
Zash
That sounds like a bug
Link Mauve
Indeed.
Link Mauve
I’ll use it in the meantime, but I’ll keep it in mind.
lorddavidiiihas left
lorddavidiiihas joined
moparisthebest
other than prosody, XMPP servers seem very bad about having a place to report security problems...
moparisthebest
ejabberd and tigase just link to github issues, openfire links to a forum and public issue tracker
lovetoxhas joined
jonas’
Link Mauve, feel free to file an issue and/or patch
moparisthebest
isode, iot broker, astrachat nothing at all
debaclehas joined
moparisthebest
apache vysper joins prosody in having a very visible defined way to report security issues
Link Mauve
jonas’, https://github.com/xsf/xeps/pull/900
Link Mauve
moparisthebest, maybe report them the issue?
moparisthebest
and the rest have a developer email/jid if you dig deep enough, which isn't *terrible*
jonas’
Link Mauve, looks good, I’ll add it to the queue for tonight
moparisthebest
Link Mauve, right, how :D
Link Mauve
moparisthebest, using a normal issue I guess? ^^'
jonas’
moparisthebest, you could use a normal issue to report the problem that there’s no security contact.
jonas’
though github issues nowadays also have a way to be hidden for security reasons, IIRC
Link Mauve
Oh, do they?
moparisthebest
And the 3 servers that have no way to contact anyone at all?
moparisthebest
Email sales?
jonas’
fulldisclosure@seclists.org
remkohas left
remkohas joined
Steve Killehas joined
raghavgururajanhas left
remkohas left
remkohas joined
Steve Killehas left
waqashas joined
waqashas left
moparisthebest
I don't think I care that much, if they don't, why should I
moparisthebest
I'll just post it on a blog or something and if they are vulnerable to a 0 day maybe they'll create a security email :)
Kev
Isode provides snail mail, phone, fax and email (through web form) contact details on the website, and customers obviously have a support system to submit things through. So I think 'nothing at all' in terms of ability to get in contact is pushing it a little bit.
moparisthebest
and no place to report specifically security issues, I guess a web form might go to someone who could handle them, it's not obvious though
Kev
Any (provided) contact mechanism would ultimately end up at someone who could handle the query.
Kev
Or i fyou think you've found a vulnerability in M-Link, feel free to just bypass that and email me.✎
Kev
Or if you think you've found a vulnerability in M-Link, feel free to just bypass that and email me. ✏
moparisthebest
in this case it's more of a general bug that may affect multiple servers, but just in general having a dedicated security problem reporting method is ideal
Kev
It's not clear to me that it would be any more useful than the generic contact details, TBH.
Kev
I can see how for an OSS project where the contact details are "Open a public ticket viewable by the world" it would be.
jonas’
Kev, in 90% of the companies, the generic contact form will end up at a clueless person who deflects your request or it takes ages to proceed
jonas’
having a proper security contact is superior to that
moparisthebest
https://www.apache.org/security/ this is considered a good way to handle it
Kev
jonas’: I don't believe that to be true at Isode.
Kev
In fact, I believe we have precisely 0 clueless people on staff.
moparisthebest
https://www.astrachat.com/Contact.aspx for example only has sales emails
remkohas left
remkohas joined
jonas’
Kev, but as a security researcher, you can’t know in advance
moparisthebest
https://letsencrypt.org/contact/ https://prosody.im/bugs/ also examples of prominent "security issues go here"
Yagizahas left
pdurbinhas joined
remkohas left
Nekithas left
Syndacehas left
pdurbinhas left
Wojtek
moparisthebest in case of Tigase you can use contact form here https://tigase.net/technical-support (3rd option, though naming may be confusing); besides - due to size and how we handle communication internally we didn't/don't fee that dedicated security channel was required
remkohas joined
raghavgururajanhas joined
moparisthebest
Wojtek, the "If you have our support subscription use the form to send us a message" button?
Wojtek
you give example of LE, and even they put a bold: "Please do not write to this address unless your message concerns a security issue with Let’s Encrypt." because, from experience, when you put an email in public place, it's quite often spammed with people ignoring it's intend sadly ¯\_(ツ)_/¯
Wojtek
yes, this one (as I said - naming may be confusing - I'll forward your suggestion to relevant person)
moparisthebest
ah yea, I would not have used that unless you said :)
Wojtek
sooorryyy :-)
Wojtek
in general support without subscription should go to github :-)
Wojtek
btw. wasn't there a XSF security mailing list?
pep.
there is still, maybe. Seems abandonned though
waqashas joined
waqashas left
Wojtek
yeah, but it also seems public so I'm not sure it's viable in this case (I *thought* that it wasn't, or at least it's archive wasn't)
Wojtekhas left
Wojtekhas joined
Wojtek
@moparisthebest could you ping me on xmpp:wojtek@tigase.org ?
fippo
there was a server-devs mailing list which was created and then used for the dialback bugs.
fippo
unused since probably
Dele Olajidehas left
Dele Olajidehas joined
Marchas joined
Kev
Indeed, but is intended for this type of thing.
moparisthebest
did those bugs let you crash a good amount of public servers though?
jonas’
that sounds fun
jonas’
crash as in crash?
jonas’
as in total DoS?
moparisthebest
this probably shouldn't be public until fixes are out, I've sent it to a number of server devs so far
jonas’
via s2s or authenticated c2s or unauthenticated c2s?
jonas’
yeah
moparisthebest
no data leaks, just crash (thankfully?)
jonas’
sounds like something to embargo
fippo
no crashes, it was an authentication bypass.
moparisthebest
unauthenticated c2s :'( (probably s2s also)
Kev
It wasn't a crash, it was an authentication bypass.
Kev
Heh.
fippo
also just checking: its not a variant of billion laughs?
moparisthebest
I haven't heard of that
jonas’
moparisthebest, ouchie
fippo
https://en.wikipedia.org/wiki/Billion_laughs_attack -- there was an xmpp variant of it as well
jonas’
moparisthebest, billion laughs is exponential entity expansion. define an XML entity &foo; which expands to &bar;&bar;, define &bar; to expand to &baz;&baz; and so on.
moparisthebest
ah, now that's nice, but no this isn't the same
pep.
isn't XMPP parsers not supposed to handle undefined entities?✎
pep.
aren't XMPP parsers not supposed to handle undefined entities? ✏
jonas’
pep., and, more importantly, not supposed to handle entity definitions ;)
Kev
Indeed.
pep.
right
Kev
Not quite the same as people doing the right thing, though :)
jonas’
pep., as we all know, people take shortcuts when implementing stuff
jonas’
and if the shortcut is "not configuring your parser properly" ...
pep.
Indeed
fippo
well, this came up again a couple of years after the initial CVE. Happens all the time.
moparisthebest
now those are some hilarious links https://www.cio.com/article/3082084/xml-is-toast-long-live-json.html https://github.com/kubernetes/kubernetes/issues/83253 "CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack"
jonas’
relevant: https://noyaml.com
Dele Olajidehas left
andrey.ghas left
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Wojtekhas joined
raghavgururajanhas left
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Ge0rG
When I got my dozen of xmpp clients CVE, I contacted all the developers manually