-
marc0s
jonas’, thanks for the lengthy and detailed response about Reminders. I really appreciate it
-
jonas’
you’re welcome
-
Link Mauve
So, since I’m now doing an internship, I probably should change my member status.
-
Link Mauve
How can I do that?
-
Link Mauve
Also hi, I’m adding XEP-0284 support to Inkscape. o/
-
jonas’
Link Mauve, member status?
-
Link Mauve
jonas’, the employer thing.
-
jonas’
I just edit my wiki page
-
Link Mauve
I don’t have one yet. :-°
-
flow
Link Mauve, yeah, xep284 is one of my all time favorites (along with the gobby protocol)
-
Link Mauve
What are the differences between them?
-
flow
you may want to compare those two from a protocl perspective, although the gobby one isn't that well documented IIRC
-
Link Mauve
Also with other protocols such as Etherpad’s or CryptPad’s?
-
flow
I have no idea which one is better. But it could be worth putting some research effort into a survey of the existing protocols for collaborative xml editing
-
Link Mauve
Yeah.
-
Link Mauve
And then merge all of the improvements into XEP-0284. :p
-
jonas’
stay away from etherpad
-
jonas’
it uses the broken JavaScript unicode model
-
jonas’
with UTF-16 everywhere.
-
moparisthebest
if you have to stay away from broken javascript that's like 99% of the web
-
moparisthebest
though now that you mention it, sounds kind of nice...
-
Ge0rG
I've heard there are still parts of the web that you can surf with noscript.
-
jonas’
s.j.n for example
-
jonas’
though you won’t get the fancy charts
-
Link Mauve
jonas’, I’m using XMPP, so UTF-8 everywhere.
-
jonas’
Link Mauve, the etherpad protocol data model assumes UTF-16
-
jonas’
so stay away from that
-
Link Mauve
Ok.
-
Ge0rG
nothing is wrong with UTF-16. It's only when you treat it as UCS-2 when things start going wrong.
-
moparisthebest
is https://xmpp.org/software/servers.html a pretty complete list still? does anyone know of widely deployed public servers not on this list?
-
Link Mauve
In the XEP schema, <dl/> is specified as only taking a list of <di/>, each containing a <dt/> and a <dd/>.
-
Link Mauve
The <di/> is not specified in XHTML AFAIK, why is it present here?
-
Zash
XEP ≠ XHTML tho
-
Link Mauve
But the XSLT transfers the <di/> to the generated HTML5.
-
Link Mauve
As is.
-
Zash
That sounds like a bug
-
Link Mauve
Indeed.
-
Link Mauve
I’ll use it in the meantime, but I’ll keep it in mind.
-
moparisthebest
other than prosody, XMPP servers seem very bad about having a place to report security problems...
-
moparisthebest
ejabberd and tigase just link to github issues, openfire links to a forum and public issue tracker
-
jonas’
Link Mauve, feel free to file an issue and/or patch
-
moparisthebest
isode, iot broker, astrachat nothing at all
-
moparisthebest
apache vysper joins prosody in having a very visible defined way to report security issues
-
Link Mauve
jonas’, https://github.com/xsf/xeps/pull/900
-
Link Mauve
moparisthebest, maybe report them the issue?
-
moparisthebest
and the rest have a developer email/jid if you dig deep enough, which isn't *terrible*
-
jonas’
Link Mauve, looks good, I’ll add it to the queue for tonight
-
moparisthebest
Link Mauve, right, how :D
-
Link Mauve
moparisthebest, using a normal issue I guess? ^^'
-
jonas’
moparisthebest, you could use a normal issue to report the problem that there’s no security contact.
-
jonas’
though github issues nowadays also have a way to be hidden for security reasons, IIRC
-
Link Mauve
Oh, do they?
-
moparisthebest
And the 3 servers that have no way to contact anyone at all?
-
moparisthebest
Email sales?
-
jonas’
fulldisclosure@seclists.org
-
moparisthebest
I don't think I care that much, if they don't, why should I
-
moparisthebest
I'll just post it on a blog or something and if they are vulnerable to a 0 day maybe they'll create a security email :)
-
Kev
Isode provides snail mail, phone, fax and email (through web form) contact details on the website, and customers obviously have a support system to submit things through. So I think 'nothing at all' in terms of ability to get in contact is pushing it a little bit.
-
moparisthebest
and no place to report specifically security issues, I guess a web form might go to someone who could handle them, it's not obvious though
-
Kev
Any (provided) contact mechanism would ultimately end up at someone who could handle the query.
-
Kev
Or i fyou think you've found a vulnerability in M-Link, feel free to just bypass that and email me.✎ -
Kev
Or if you think you've found a vulnerability in M-Link, feel free to just bypass that and email me. ✏
-
moparisthebest
in this case it's more of a general bug that may affect multiple servers, but just in general having a dedicated security problem reporting method is ideal
-
Kev
It's not clear to me that it would be any more useful than the generic contact details, TBH.
-
Kev
I can see how for an OSS project where the contact details are "Open a public ticket viewable by the world" it would be.
-
jonas’
Kev, in 90% of the companies, the generic contact form will end up at a clueless person who deflects your request or it takes ages to proceed
-
jonas’
having a proper security contact is superior to that
-
moparisthebest
https://www.apache.org/security/ this is considered a good way to handle it
-
Kev
jonas’: I don't believe that to be true at Isode.
-
Kev
In fact, I believe we have precisely 0 clueless people on staff.
-
moparisthebest
https://www.astrachat.com/Contact.aspx for example only has sales emails
-
jonas’
Kev, but as a security researcher, you can’t know in advance
-
moparisthebest
https://letsencrypt.org/contact/ https://prosody.im/bugs/ also examples of prominent "security issues go here"
-
Wojtek
moparisthebest in case of Tigase you can use contact form here https://tigase.net/technical-support (3rd option, though naming may be confusing); besides - due to size and how we handle communication internally we didn't/don't fee that dedicated security channel was required
-
moparisthebest
Wojtek, the "If you have our support subscription use the form to send us a message" button?
-
Wojtek
you give example of LE, and even they put a bold: "Please do not write to this address unless your message concerns a security issue with Let’s Encrypt." because, from experience, when you put an email in public place, it's quite often spammed with people ignoring it's intend sadly ¯\_(ツ)_/¯
-
Wojtek
yes, this one (as I said - naming may be confusing - I'll forward your suggestion to relevant person)
-
moparisthebest
ah yea, I would not have used that unless you said :)
-
Wojtek
sooorryyy :-)
-
Wojtek
in general support without subscription should go to github :-)
-
Wojtek
btw. wasn't there a XSF security mailing list?
-
pep.
there is still, maybe. Seems abandonned though
-
Wojtek
yeah, but it also seems public so I'm not sure it's viable in this case (I *thought* that it wasn't, or at least it's archive wasn't)
-
Wojtek
@moparisthebest could you ping me on xmpp:wojtek@tigase.org ?
-
fippo
there was a server-devs mailing list which was created and then used for the dialback bugs.
-
fippo
unused since probably
-
Kev
Indeed, but is intended for this type of thing.
-
moparisthebest
did those bugs let you crash a good amount of public servers though?
-
jonas’
that sounds fun
-
jonas’
crash as in crash?
-
jonas’
as in total DoS?
-
moparisthebest
this probably shouldn't be public until fixes are out, I've sent it to a number of server devs so far
-
jonas’
via s2s or authenticated c2s or unauthenticated c2s?
-
jonas’
yeah
-
moparisthebest
no data leaks, just crash (thankfully?)
-
jonas’
sounds like something to embargo
-
fippo
no crashes, it was an authentication bypass.
-
moparisthebest
unauthenticated c2s :'( (probably s2s also)
-
Kev
It wasn't a crash, it was an authentication bypass.
-
Kev
Heh.
-
fippo
also just checking: its not a variant of billion laughs?
-
moparisthebest
I haven't heard of that
-
jonas’
moparisthebest, ouchie
-
fippo
https://en.wikipedia.org/wiki/Billion_laughs_attack -- there was an xmpp variant of it as well
-
jonas’
moparisthebest, billion laughs is exponential entity expansion. define an XML entity &foo; which expands to &bar;&bar;, define &bar; to expand to &baz;&baz; and so on.
-
moparisthebest
ah, now that's nice, but no this isn't the same
-
pep.
isn't XMPP parsers not supposed to handle undefined entities?✎ -
pep.
aren't XMPP parsers not supposed to handle undefined entities? ✏
-
jonas’
pep., and, more importantly, not supposed to handle entity definitions ;)
-
Kev
Indeed.
-
pep.
right
-
Kev
Not quite the same as people doing the right thing, though :)
-
jonas’
pep., as we all know, people take shortcuts when implementing stuff
-
jonas’
and if the shortcut is "not configuring your parser properly" ...
-
pep.
Indeed
-
fippo
well, this came up again a couple of years after the initial CVE. Happens all the time.
-
moparisthebest
now those are some hilarious links https://www.cio.com/article/3082084/xml-is-toast-long-live-json.html https://github.com/kubernetes/kubernetes/issues/83253 "CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack"
-
jonas’
relevant: https://noyaml.com
-
Ge0rG
When I got my dozen of xmpp clients CVE, I contacted all the developers manually