XSF Discussion - 2020-03-03


  1. marc0s

    jonas’, thanks for the lengthy and detailed response about Reminders. I really appreciate it

  2. jonas’

    you’re welcome

  3. Link Mauve

    So, since I’m now doing an internship, I probably should change my member status.

  4. Link Mauve

    How can I do that?

  5. Link Mauve

    Also hi, I’m adding XEP-0284 support to Inkscape. o/

  6. jonas’

    Link Mauve, member status?

  7. Link Mauve

    jonas’, the employer thing.

  8. jonas’

    I just edit my wiki page

  9. Link Mauve

    I don’t have one yet. :-°

  10. flow

    Link Mauve, yeah, xep284 is one of my all time favorites (along with the gobby protocol)

  11. Link Mauve

    What are the differences between them?

  12. flow

    you may want to compare those two from a protocl perspective, although the gobby one isn't that well documented IIRC

  13. Link Mauve

    Also with other protocols such as Etherpad’s or CryptPad’s?

  14. flow

    I have no idea which one is better. But it could be worth putting some research effort into a survey of the existing protocols for collaborative xml editing

  15. Link Mauve

    Yeah.

  16. Link Mauve

    And then merge all of the improvements into XEP-0284. :p

  17. jonas’

    stay away from etherpad

  18. jonas’

    it uses the broken JavaScript unicode model

  19. jonas’

    with UTF-16 everywhere.

  20. moparisthebest

    if you have to stay away from broken javascript that's like 99% of the web

  21. moparisthebest

    though now that you mention it, sounds kind of nice...

  22. Ge0rG

    I've heard there are still parts of the web that you can surf with noscript.

  23. jonas’

    s.j.n for example

  24. jonas’

    though you won’t get the fancy charts

  25. Link Mauve

    jonas’, I’m using XMPP, so UTF-8 everywhere.

  26. jonas’

    Link Mauve, the etherpad protocol data model assumes UTF-16

  27. jonas’

    so stay away from that

  28. Link Mauve

    Ok.

  29. Ge0rG

    nothing is wrong with UTF-16. It's only when you treat it as UCS-2 when things start going wrong.

  30. moparisthebest

    is https://xmpp.org/software/servers.html a pretty complete list still? does anyone know of widely deployed public servers not on this list?

  31. Link Mauve

    In the XEP schema, <dl/> is specified as only taking a list of <di/>, each containing a <dt/> and a <dd/>.

  32. Link Mauve

    The <di/> is not specified in XHTML AFAIK, why is it present here?

  33. Zash

    XEP ≠ XHTML tho

  34. Link Mauve

    But the XSLT transfers the <di/> to the generated HTML5.

  35. Link Mauve

    As is.

  36. Zash

    That sounds like a bug

  37. Link Mauve

    Indeed.

  38. Link Mauve

    I’ll use it in the meantime, but I’ll keep it in mind.

  39. moparisthebest

    other than prosody, XMPP servers seem very bad about having a place to report security problems...

  40. moparisthebest

    ejabberd and tigase just link to github issues, openfire links to a forum and public issue tracker

  41. jonas’

    Link Mauve, feel free to file an issue and/or patch

  42. moparisthebest

    isode, iot broker, astrachat nothing at all

  43. moparisthebest

    apache vysper joins prosody in having a very visible defined way to report security issues

  44. Link Mauve

    jonas’, https://github.com/xsf/xeps/pull/900

  45. Link Mauve

    moparisthebest, maybe report them the issue?

  46. moparisthebest

    and the rest have a developer email/jid if you dig deep enough, which isn't *terrible*

  47. jonas’

    Link Mauve, looks good, I’ll add it to the queue for tonight

  48. moparisthebest

    Link Mauve, right, how :D

  49. Link Mauve

    moparisthebest, using a normal issue I guess? ^^'

  50. jonas’

    moparisthebest, you could use a normal issue to report the problem that there’s no security contact.

  51. jonas’

    though github issues nowadays also have a way to be hidden for security reasons, IIRC

  52. Link Mauve

    Oh, do they?

  53. moparisthebest

    And the 3 servers that have no way to contact anyone at all?

  54. moparisthebest

    Email sales?

  55. jonas’

    fulldisclosure@seclists.org

  56. moparisthebest

    I don't think I care that much, if they don't, why should I

  57. moparisthebest

    I'll just post it on a blog or something and if they are vulnerable to a 0 day maybe they'll create a security email :)

  58. Kev

    Isode provides snail mail, phone, fax and email (through web form) contact details on the website, and customers obviously have a support system to submit things through. So I think 'nothing at all' in terms of ability to get in contact is pushing it a little bit.

  59. moparisthebest

    and no place to report specifically security issues, I guess a web form might go to someone who could handle them, it's not obvious though

  60. Kev

    Any (provided) contact mechanism would ultimately end up at someone who could handle the query.

  61. Kev

    Or i fyou think you've found a vulnerability in M-Link, feel free to just bypass that and email me.

  62. Kev

    Or if you think you've found a vulnerability in M-Link, feel free to just bypass that and email me.

  63. moparisthebest

    in this case it's more of a general bug that may affect multiple servers, but just in general having a dedicated security problem reporting method is ideal

  64. Kev

    It's not clear to me that it would be any more useful than the generic contact details, TBH.

  65. Kev

    I can see how for an OSS project where the contact details are "Open a public ticket viewable by the world" it would be.

  66. jonas’

    Kev, in 90% of the companies, the generic contact form will end up at a clueless person who deflects your request or it takes ages to proceed

  67. jonas’

    having a proper security contact is superior to that

  68. moparisthebest

    https://www.apache.org/security/ this is considered a good way to handle it

  69. Kev

    jonas’: I don't believe that to be true at Isode.

  70. Kev

    In fact, I believe we have precisely 0 clueless people on staff.

  71. moparisthebest

    https://www.astrachat.com/Contact.aspx for example only has sales emails

  72. jonas’

    Kev, but as a security researcher, you can’t know in advance

  73. moparisthebest

    https://letsencrypt.org/contact/ https://prosody.im/bugs/ also examples of prominent "security issues go here"

  74. Wojtek

    moparisthebest in case of Tigase you can use contact form here https://tigase.net/technical-support (3rd option, though naming may be confusing); besides - due to size and how we handle communication internally we didn't/don't fee that dedicated security channel was required

  75. moparisthebest

    Wojtek, the "If you have our support subscription use the form to send us a message" button?

  76. Wojtek

    you give example of LE, and even they put a bold: "Please do not write to this address unless your message concerns a security issue with Let’s Encrypt." because, from experience, when you put an email in public place, it's quite often spammed with people ignoring it's intend sadly ¯\_(ツ)_/¯

  77. Wojtek

    yes, this one (as I said - naming may be confusing - I'll forward your suggestion to relevant person)

  78. moparisthebest

    ah yea, I would not have used that unless you said :)

  79. Wojtek

    sooorryyy :-)

  80. Wojtek

    in general support without subscription should go to github :-)

  81. Wojtek

    btw. wasn't there a XSF security mailing list?

  82. pep.

    there is still, maybe. Seems abandonned though

  83. Wojtek

    yeah, but it also seems public so I'm not sure it's viable in this case (I *thought* that it wasn't, or at least it's archive wasn't)

  84. Wojtek

    @moparisthebest could you ping me on xmpp:wojtek@tigase.org ?

  85. fippo

    there was a server-devs mailing list which was created and then used for the dialback bugs.

  86. fippo

    unused since probably

  87. Kev

    Indeed, but is intended for this type of thing.

  88. moparisthebest

    did those bugs let you crash a good amount of public servers though?

  89. jonas’

    that sounds fun

  90. jonas’

    crash as in crash?

  91. jonas’

    as in total DoS?

  92. moparisthebest

    this probably shouldn't be public until fixes are out, I've sent it to a number of server devs so far

  93. jonas’

    via s2s or authenticated c2s or unauthenticated c2s?

  94. jonas’

    yeah

  95. moparisthebest

    no data leaks, just crash (thankfully?)

  96. jonas’

    sounds like something to embargo

  97. fippo

    no crashes, it was an authentication bypass.

  98. moparisthebest

    unauthenticated c2s :'( (probably s2s also)

  99. Kev

    It wasn't a crash, it was an authentication bypass.

  100. Kev

    Heh.

  101. fippo

    also just checking: its not a variant of billion laughs?

  102. moparisthebest

    I haven't heard of that

  103. jonas’

    moparisthebest, ouchie

  104. fippo

    https://en.wikipedia.org/wiki/Billion_laughs_attack -- there was an xmpp variant of it as well

  105. jonas’

    moparisthebest, billion laughs is exponential entity expansion. define an XML entity &foo; which expands to &bar;&bar;, define &bar; to expand to &baz;&baz; and so on.

  106. moparisthebest

    ah, now that's nice, but no this isn't the same

  107. pep.

    isn't XMPP parsers not supposed to handle undefined entities?

  108. pep.

    aren't XMPP parsers not supposed to handle undefined entities?

  109. jonas’

    pep., and, more importantly, not supposed to handle entity definitions ;)

  110. Kev

    Indeed.

  111. pep.

    right

  112. Kev

    Not quite the same as people doing the right thing, though :)

  113. jonas’

    pep., as we all know, people take shortcuts when implementing stuff

  114. jonas’

    and if the shortcut is "not configuring your parser properly" ...

  115. pep.

    Indeed

  116. fippo

    well, this came up again a couple of years after the initial CVE. Happens all the time.

  117. moparisthebest

    now those are some hilarious links https://www.cio.com/article/3082084/xml-is-toast-long-live-json.html https://github.com/kubernetes/kubernetes/issues/83253 "CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack"

  118. jonas’

    relevant: https://noyaml.com

  119. Ge0rG

    When I got my dozen of xmpp clients CVE, I contacted all the developers manually