XSF Discussion - 2020-03-03


  1. debacle has left

  2. david has joined

  3. Daniel has left

  4. Daniel has joined

  5. Daniel has left

  6. pdurbin has joined

  7. andrey.g has joined

  8. Daniel has joined

  9. Alex has left

  10. Alex has joined

  11. pdurbin has left

  12. karoshi has left

  13. xelxebar has left

  14. larma has left

  15. Daniel has left

  16. xelxebar has joined

  17. Daniel has joined

  18. larma has joined

  19. winfried has left

  20. winfried has joined

  21. winfried has left

  22. winfried has joined

  23. Daniel has left

  24. Daniel has joined

  25. lskdjf has left

  26. strypey has joined

  27. Daniel has left

  28. Daniel has joined

  29. pdurbin has joined

  30. mukt2 has joined

  31. pdurbin has left

  32. mukt2 has left

  33. Yagiza has joined

  34. Nekit has joined

  35. david has left

  36. david has joined

  37. pdurbin has joined

  38. mukt2 has joined

  39. david has left

  40. mukt2 has left

  41. david has joined

  42. moparisthebest has left

  43. moparisthebest has joined

  44. moparisthebest has left

  45. moparisthebest has joined

  46. moparisthebest has left

  47. moparisthebest has joined

  48. andy has joined

  49. strypey has left

  50. Steve Kille has joined

  51. raghavgururajan has joined

  52. pdurbin has left

  53. david has left

  54. david has joined

  55. Daniel has left

  56. Daniel has joined

  57. Jeybe has joined

  58. pdurbin has joined

  59. raghavgururajan has left

  60. raghavgururajan has joined

  61. mukt2 has joined

  62. raghavgururajan has left

  63. raghavgururajan has joined

  64. raghavgururajan has left

  65. raghavgururajan has joined

  66. Tobias has joined

  67. lorddavidiii has joined

  68. raghavgururajan has left

  69. raghavgururajan has joined

  70. raghavgururajan has left

  71. raghavgururajan has joined

  72. mukt2 has left

  73. raghavgururajan has left

  74. raghavgururajan has joined

  75. rion has left

  76. Nekit has left

  77. rion has joined

  78. Nekit has joined

  79. Daniel has left

  80. Daniel has joined

  81. pdurbin has left

  82. LNJ has joined

  83. pdurbin has joined

  84. paul has joined

  85. Steve Kille has left

  86. waqas has left

  87. pdurbin has left

  88. karoshi has joined

  89. raghavgururajan has left

  90. raghavgururajan has joined

  91. raghavgururajan has left

  92. lorddavidiii has left

  93. mukt2 has joined

  94. lorddavidiii has joined

  95. mukt2 has left

  96. Marc has joined

  97. strypey has joined

  98. lorddavidiii has left

  99. lorddavidiii has joined

  100. strypey has left

  101. strypey has joined

  102. lorddavidiii has left

  103. lorddavidiii has joined

  104. paul has left

  105. Maranda has left

  106. Maranda has joined

  107. paul has joined

  108. lorddavidiii has left

  109. krauq has left

  110. lorddavidiii has joined

  111. krauq has joined

  112. lorddavidiii has left

  113. lorddavidiii has joined

  114. krauq has left

  115. pdurbin has joined

  116. mukt2 has joined

  117. strypey has left

  118. strypey has joined

  119. remko has joined

  120. debxwoody has joined

  121. pdurbin has left

  122. debxwoody has left

  123. Steve Kille has joined

  124. mukt2 has left

  125. matkor has left

  126. matkor has joined

  127. krauq has joined

  128. lorddavidiii has left

  129. lorddavidiii has joined

  130. Steve Kille has left

  131. vanitasvitae has left

  132. vanitasvitae has joined

  133. sonny has left

  134. sonny has joined

  135. mukt2 has joined

  136. debacle has joined

  137. mukt2 has left

  138. Zash has left

  139. Zash has joined

  140. Steve Kille has joined

  141. goffi has joined

  142. lorddavidiii has left

  143. eevvoor has joined

  144. lorddavidiii has joined

  145. pdurbin has joined

  146. lskdjf has joined

  147. Daniel has left

  148. Daniel has joined

  149. pdurbin has left

  150. mukt2 has joined

  151. mimi89999 has left

  152. Steve Kille has left

  153. mukt2 has left

  154. Steve Kille has joined

  155. remko has left

  156. remko has joined

  157. strypey has left

  158. strypey has joined

  159. marc0s

    jonas’, thanks for the lengthy and detailed response about Reminders. I really appreciate it

  160. jonas’

    you’re welcome

  161. pdurbin has joined

  162. eta has left

  163. eta has joined

  164. remko has left

  165. strypey has left

  166. strypey has joined

  167. pdurbin has left

  168. LNJ has left

  169. Steve Kille has left

  170. Steve Kille has joined

  171. remko has joined

  172. debacle has left

  173. mukt2 has joined

  174. Maranda has left

  175. Steve Kille has left

  176. lorddavidiii has left

  177. remko has left

  178. lorddavidiii has joined

  179. Maranda has joined

  180. lorddavidiii has left

  181. remko has joined

  182. lorddavidiii has joined

  183. mukt2 has left

  184. strypey has left

  185. remko has left

  186. lskdjf has left

  187. lskdjf has joined

  188. eevvoor has left

  189. remko has joined

  190. remko has left

  191. remko has joined

  192. mimi89999 has joined

  193. remko has left

  194. eta has left

  195. Jeybe has left

  196. remko has joined

  197. Jeybe has joined

  198. Half-Shot[m] has left

  199. pdurbin has joined

  200. pdurbin has left

  201. pdurbin has joined

  202. eta has joined

  203. Steve Kille has joined

  204. mukt2 has joined

  205. lorddavidiii has left

  206. mimi89999 has left

  207. lorddavidiii has joined

  208. mukt2 has left

  209. mimi89999 has joined

  210. eevvoor has joined

  211. raghavgururajan has joined

  212. Marc has left

  213. Marc has joined

  214. andy has left

  215. LNJ has joined

  216. Link Mauve

    So, since I’m now doing an internship, I probably should change my member status.

  217. Link Mauve

    How can I do that?

  218. Link Mauve

    Also hi, I’m adding XEP-0284 support to Inkscape. o/

  219. jonas’

    Link Mauve, member status?

  220. Link Mauve

    jonas’, the employer thing.

  221. jonas’

    I just edit my wiki page

  222. Link Mauve

    I don’t have one yet. :-°

  223. andy has joined

  224. Marc has left

  225. flow

    Link Mauve, yeah, xep284 is one of my all time favorites (along with the gobby protocol)

  226. Link Mauve

    What are the differences between them?

  227. flow

    you may want to compare those two from a protocl perspective, although the gobby one isn't that well documented IIRC

  228. Link Mauve

    Also with other protocols such as Etherpad’s or CryptPad’s?

  229. flow

    I have no idea which one is better. But it could be worth putting some research effort into a survey of the existing protocols for collaborative xml editing

  230. Link Mauve

    Yeah.

  231. Link Mauve

    And then merge all of the improvements into XEP-0284. :p

  232. pdurbin has left

  233. lorddavidiii has left

  234. Douglas Terabyte has left

  235. Douglas Terabyte has joined

  236. lorddavidiii has joined

  237. raghavgururajan has left

  238. Half-Shot has left

  239. Half-Shot has joined

  240. lorddavidiii has left

  241. eta has left

  242. lorddavidiii has joined

  243. raghavgururajan has joined

  244. lorddavidiii has left

  245. remko has left

  246. remko has joined

  247. Wojtek has joined

  248. raghavgururajan has left

  249. jonas’

    stay away from etherpad

  250. jonas’

    it uses the broken JavaScript unicode model

  251. jonas’

    with UTF-16 everywhere.

  252. moparisthebest

    if you have to stay away from broken javascript that's like 99% of the web

  253. moparisthebest

    though now that you mention it, sounds kind of nice...

  254. lorddavidiii has joined

  255. Ge0rG

    I've heard there are still parts of the web that you can surf with noscript.

  256. raghavgururajan has joined

  257. jonas’

    s.j.n for example

  258. jonas’

    though you won’t get the fancy charts

  259. Link Mauve

    jonas’, I’m using XMPP, so UTF-8 everywhere.

  260. jonas’

    Link Mauve, the etherpad protocol data model assumes UTF-16

  261. jonas’

    so stay away from that

  262. Link Mauve

    Ok.

  263. Ge0rG

    nothing is wrong with UTF-16. It's only when you treat it as UCS-2 when things start going wrong.

  264. j.r has left

  265. lorddavidiii has left

  266. lorddavidiii has joined

  267. remko has left

  268. lorddavidiii has left

  269. eta has joined

  270. lorddavidiii has joined

  271. lorddavidiii has left

  272. j.r has joined

  273. lorddavidiii has joined

  274. remko has joined

  275. lorddavidiii has left

  276. lorddavidiii has joined

  277. lorddavidiii has left

  278. lorddavidiii has joined

  279. lorddavidiii has left

  280. lorddavidiii has joined

  281. Jeybe has left

  282. Jeybe has joined

  283. j.r has left

  284. j.r has joined

  285. lorddavidiii has left

  286. lorddavidiii has joined

  287. eta has left

  288. eta has joined

  289. pdurbin has joined

  290. Jeybe has left

  291. Jeybe has joined

  292. Nekit has left

  293. Nekit has joined

  294. lorddavidiii has left

  295. pdurbin has left

  296. lorddavidiii has joined

  297. lorddavidiii has left

  298. lorddavidiii has joined

  299. Steve Kille has left

  300. moparisthebest

    is https://xmpp.org/software/servers.html a pretty complete list still? does anyone know of widely deployed public servers not on this list?

  301. Link Mauve

    In the XEP schema, <dl/> is specified as only taking a list of <di/>, each containing a <dt/> and a <dd/>.

  302. Link Mauve

    The <di/> is not specified in XHTML AFAIK, why is it present here?

  303. Zash

    XEP ≠ XHTML tho

  304. Link Mauve

    But the XSLT transfers the <di/> to the generated HTML5.

  305. Link Mauve

    As is.

  306. Zash

    That sounds like a bug

  307. Link Mauve

    Indeed.

  308. Link Mauve

    I’ll use it in the meantime, but I’ll keep it in mind.

  309. lorddavidiii has left

  310. lorddavidiii has joined

  311. moparisthebest

    other than prosody, XMPP servers seem very bad about having a place to report security problems...

  312. moparisthebest

    ejabberd and tigase just link to github issues, openfire links to a forum and public issue tracker

  313. lovetox has joined

  314. jonas’

    Link Mauve, feel free to file an issue and/or patch

  315. moparisthebest

    isode, iot broker, astrachat nothing at all

  316. debacle has joined

  317. moparisthebest

    apache vysper joins prosody in having a very visible defined way to report security issues

  318. Link Mauve

    jonas’, https://github.com/xsf/xeps/pull/900

  319. Link Mauve

    moparisthebest, maybe report them the issue?

  320. moparisthebest

    and the rest have a developer email/jid if you dig deep enough, which isn't *terrible*

  321. jonas’

    Link Mauve, looks good, I’ll add it to the queue for tonight

  322. moparisthebest

    Link Mauve, right, how :D

  323. Link Mauve

    moparisthebest, using a normal issue I guess? ^^'

  324. jonas’

    moparisthebest, you could use a normal issue to report the problem that there’s no security contact.

  325. jonas’

    though github issues nowadays also have a way to be hidden for security reasons, IIRC

  326. Link Mauve

    Oh, do they?

  327. moparisthebest

    And the 3 servers that have no way to contact anyone at all?

  328. moparisthebest

    Email sales?

  329. jonas’

    fulldisclosure@seclists.org

  330. remko has left

  331. remko has joined

  332. Steve Kille has joined

  333. raghavgururajan has left

  334. remko has left

  335. remko has joined

  336. Steve Kille has left

  337. waqas has joined

  338. waqas has left

  339. moparisthebest

    I don't think I care that much, if they don't, why should I

  340. moparisthebest

    I'll just post it on a blog or something and if they are vulnerable to a 0 day maybe they'll create a security email :)

  341. Kev

    Isode provides snail mail, phone, fax and email (through web form) contact details on the website, and customers obviously have a support system to submit things through. So I think 'nothing at all' in terms of ability to get in contact is pushing it a little bit.

  342. moparisthebest

    and no place to report specifically security issues, I guess a web form might go to someone who could handle them, it's not obvious though

  343. Kev

    Any (provided) contact mechanism would ultimately end up at someone who could handle the query.

  344. Kev

    Or i fyou think you've found a vulnerability in M-Link, feel free to just bypass that and email me.

  345. Kev

    Or if you think you've found a vulnerability in M-Link, feel free to just bypass that and email me.

  346. moparisthebest

    in this case it's more of a general bug that may affect multiple servers, but just in general having a dedicated security problem reporting method is ideal

  347. Kev

    It's not clear to me that it would be any more useful than the generic contact details, TBH.

  348. Kev

    I can see how for an OSS project where the contact details are "Open a public ticket viewable by the world" it would be.

  349. jonas’

    Kev, in 90% of the companies, the generic contact form will end up at a clueless person who deflects your request or it takes ages to proceed

  350. jonas’

    having a proper security contact is superior to that

  351. moparisthebest

    https://www.apache.org/security/ this is considered a good way to handle it

  352. Kev

    jonas’: I don't believe that to be true at Isode.

  353. Kev

    In fact, I believe we have precisely 0 clueless people on staff.

  354. moparisthebest

    https://www.astrachat.com/Contact.aspx for example only has sales emails

  355. remko has left

  356. remko has joined

  357. jonas’

    Kev, but as a security researcher, you can’t know in advance

  358. moparisthebest

    https://letsencrypt.org/contact/ https://prosody.im/bugs/ also examples of prominent "security issues go here"

  359. Yagiza has left

  360. pdurbin has joined

  361. remko has left

  362. Nekit has left

  363. Syndace has left

  364. pdurbin has left

  365. Wojtek

    moparisthebest in case of Tigase you can use contact form here https://tigase.net/technical-support (3rd option, though naming may be confusing); besides - due to size and how we handle communication internally we didn't/don't fee that dedicated security channel was required

  366. remko has joined

  367. raghavgururajan has joined

  368. moparisthebest

    Wojtek, the "If you have our support subscription use the form to send us a message" button?

  369. Wojtek

    you give example of LE, and even they put a bold: "Please do not write to this address unless your message concerns a security issue with Let’s Encrypt." because, from experience, when you put an email in public place, it's quite often spammed with people ignoring it's intend sadly ¯\_(ツ)_/¯

  370. Wojtek

    yes, this one (as I said - naming may be confusing - I'll forward your suggestion to relevant person)

  371. moparisthebest

    ah yea, I would not have used that unless you said :)

  372. Wojtek

    sooorryyy :-)

  373. Wojtek

    in general support without subscription should go to github :-)

  374. Wojtek

    btw. wasn't there a XSF security mailing list?

  375. pep.

    there is still, maybe. Seems abandonned though

  376. waqas has joined

  377. waqas has left

  378. Wojtek

    yeah, but it also seems public so I'm not sure it's viable in this case (I *thought* that it wasn't, or at least it's archive wasn't)

  379. Wojtek has left

  380. Wojtek has joined

  381. Wojtek

    @moparisthebest could you ping me on xmpp:wojtek@tigase.org ?

  382. fippo

    there was a server-devs mailing list which was created and then used for the dialback bugs.

  383. fippo

    unused since probably

  384. Dele Olajide has left

  385. Dele Olajide has joined

  386. Marc has joined

  387. Kev

    Indeed, but is intended for this type of thing.

  388. moparisthebest

    did those bugs let you crash a good amount of public servers though?

  389. jonas’

    that sounds fun

  390. jonas’

    crash as in crash?

  391. jonas’

    as in total DoS?

  392. moparisthebest

    this probably shouldn't be public until fixes are out, I've sent it to a number of server devs so far

  393. jonas’

    via s2s or authenticated c2s or unauthenticated c2s?

  394. jonas’

    yeah

  395. moparisthebest

    no data leaks, just crash (thankfully?)

  396. jonas’

    sounds like something to embargo

  397. fippo

    no crashes, it was an authentication bypass.

  398. moparisthebest

    unauthenticated c2s :'( (probably s2s also)

  399. Kev

    It wasn't a crash, it was an authentication bypass.

  400. Kev

    Heh.

  401. fippo

    also just checking: its not a variant of billion laughs?

  402. moparisthebest

    I haven't heard of that

  403. jonas’

    moparisthebest, ouchie

  404. fippo

    https://en.wikipedia.org/wiki/Billion_laughs_attack -- there was an xmpp variant of it as well

  405. jonas’

    moparisthebest, billion laughs is exponential entity expansion. define an XML entity &foo; which expands to &bar;&bar;, define &bar; to expand to &baz;&baz; and so on.

  406. moparisthebest

    ah, now that's nice, but no this isn't the same

  407. pep.

    isn't XMPP parsers not supposed to handle undefined entities?

  408. pep.

    aren't XMPP parsers not supposed to handle undefined entities?

  409. jonas’

    pep., and, more importantly, not supposed to handle entity definitions ;)

  410. Kev

    Indeed.

  411. pep.

    right

  412. Kev

    Not quite the same as people doing the right thing, though :)

  413. jonas’

    pep., as we all know, people take shortcuts when implementing stuff

  414. jonas’

    and if the shortcut is "not configuring your parser properly" ...

  415. pep.

    Indeed

  416. fippo

    well, this came up again a couple of years after the initial CVE. Happens all the time.

  417. moparisthebest

    now those are some hilarious links https://www.cio.com/article/3082084/xml-is-toast-long-live-json.html https://github.com/kubernetes/kubernetes/issues/83253 "CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack"

  418. jonas’

    relevant: https://noyaml.com

  419. Dele Olajide has left

  420. andrey.g has left

  421. Wojtek has left

  422. Wojtek has joined

  423. Wojtek has left

  424. Wojtek has joined

  425. Wojtek has left

  426. Wojtek has joined

  427. Wojtek has left

  428. Wojtek has joined

  429. Wojtek has left

  430. Wojtek has joined

  431. raghavgururajan has left

  432. Wojtek has left

  433. Wojtek has joined

  434. Wojtek has left

  435. Ge0rG

    When I got my dozen of xmpp clients CVE, I contacted all the developers manually

  436. david has left

  437. david has joined

  438. lovetox has left

  439. raghavgururajan has joined

  440. Jeybe has left

  441. Jeybe has joined

  442. Wojtek has joined

  443. eta has left

  444. eta has joined

  445. Syndace has joined

  446. david has left

  447. david has joined

  448. Half-Shot has left

  449. Half-Shot has joined

  450. raghavgururajan has left

  451. raghavgururajan has joined

  452. Nekit has joined

  453. LNJ has left

  454. raghavgururajan has left

  455. APach has left

  456. raghavgururajan has joined

  457. remko has left

  458. andy has left

  459. Tobias has left

  460. j.r has left

  461. j.r has joined

  462. j.r has left

  463. j.r has joined

  464. Nekit has left

  465. j.r has left

  466. j.r has joined

  467. j.r has left

  468. eevvoor has left

  469. j.r has joined

  470. Steve Kille has joined

  471. pdurbin has joined

  472. pdurbin has left

  473. Syndace has left

  474. Marc has left

  475. Marc has joined

  476. Syndace has joined

  477. Steve Kille has left

  478. Marc has left

  479. Marc has joined

  480. paul has left

  481. Marc has left

  482. lorddavidiii has left

  483. robertooo has left

  484. Jeybe has left

  485. robertooo has joined

  486. Jeybe has joined

  487. goffi has left

  488. Wojtek has left

  489. Daniel has left

  490. Daniel has joined

  491. raghavgururajan has left

  492. aj has joined

  493. aj has left

  494. david has left

  495. Daniel has left

  496. Daniel has joined

  497. david has joined

  498. Daniel has left

  499. Jeybe has left

  500. Daniel has joined

  501. pdurbin has joined

  502. xelxebar has left