-
mdosch
> Memberbot is online now for our 2020 elections. Great applicants again this year Is there any documentation how to use the memberbot? I failed to find it. š
-
Zash
Say "hello" or something to it
-
mdosch
xmpp:memberbot@xmpp.org is not replying to 'help' or 'hello'.
-
MattJ
Then poke Alex and make sure he has your up-to-date JID
-
MattJ
and that your s2s is working :)
-
larma
jonasā, regarding opengraph and phishing: https://www.der-postillon.com/2020/05/reichelt-twitter.html (sorry, German article)
-
jonasā
also satire
-
jonasā
I donāt like the postillons style, so Iāll just not click that, sorry
-
Alex
mdosch, please send me your prefereed Jid for voting and I will verify, or should I just take it from your membership application?
-
mdosch
Alex: martin@mdosch.de
-
mdosch
Thanks :)
-
MattJ
I definitely agree that sender/server-provided link previews are the way to go
-
jonasā
I think there is a huge difference between sender and server
-
Zash
Why not a bot?
-
jonasā
same thing as server
-
Zash
Why not random anonymous users?!
-
MattJ
I mean to cover any form of "the preview data is embedded in the message"
-
MattJ
Although intuitively it seems wrong (trusting information provided by another party), generating the preview on the recipient side only adds problems and doesn't solve any of the possible "attacks"
-
Holger
Alex: While you're at it š holger@jabber.fu-berlin.de
-
MattJ
If the link is malicious it can easily serve different content to different requests, e.g. if it sees an XMPP client's user-agent instead of a browser
-
MattJ
Meanwhile it leaks activity, your network address, and other information to the web server behind the link, without user action
-
Alex
adeed both Jids, can you try again?
-
mdosch
>10.11.20 16:35:14 - Subscription received from memberbot@xmpp.org Alex: Thanks!
-
larma
jonasā: the article is about how they maliciously changed link preview by updating opengraph data after someone shared one of their articles on twitter.
-
jonasā
MattJ, it does solve the case where an attacker just wants to prank you
-
jonasā
take $urlToOffensivePictureInFullscreen, attach wrong preview, done.
-
jonasā
that attack does not need control over the webserver ("serve different content to different users")
-
MattJ
Agree, but they could just provide the link without a preview too and you'd probably open it anyway if you trust them :)
-
Zash
Solution in search of a problem: What if, the XMPP server offers a caching HTTP proxy to its users?
-
MattJ
and the same thing can be done in the recipient-generates-preview world
-
jonasā
MattJ, they canāt if previews are generated locally.
-
Zash
Credentials via XEP-0215 or somesuch
-
MattJ
so it doesn't fix anything
-
jonasā
how does a recipient-generated preview not fix that case?
-
MattJ
Because they can provide a URL that does what I described above
-
Zash
How about *everyone* generates their own preview, then we compare?
-
larma
Zash, consider e2ee, you'd leak message content to the server if you use a server-provided proxy
-
Zash
If you do HTTPS over SOCKS5 it leaks hostname to the XMPP server in exchange for not leaking your own IP to the proxy target.
-
Zash
So. Dunno, tradeoffs.
-
larma
yeah, but sender provided link previews do not leak anything...
-
Zash
Also, trust the server, the server is good!! ;)
-
larma
https://www.mysk.blog/2020/10/25/link-previews/ (lists which messaging apps do what, in case someone is interested)
-
Ge0rG
jonasā: I wanted to do some editing of CS'21, how long are you still available to merge a PR?
-
jonasā
Ge0rG, today?
-
jonasā
30 minutes probably
-
Ge0rG
jonasā: yes, thanks
- Ge0rG just realized there were no additional votes on ibr-token yet. Wanted to add it to Future Development.
-
Holger
Alex: Works for me as well, thank you.
-
Alex
š
-
Ge0rG
jonasā: are you opposed to have Extended Channel Search (XEP-0433) as "specification of note" in IM?
-
jonasā
Ge0rG, no, sgtm
-
wurstsalat
larma: thanks for that comprehensive link!
-
edhelas
> The moment the link was sent, several Facebook servers immediately started downloading the file from our server. Since it wasnāt just one server, that large 2.6 GB file was downloaded several times. In total, approximately 24.7 GB of data was downloaded from our server by Facebook servers.
-
edhelas
damn, they really have bandwidth and space available
-
vanitasvitae
š
-
vanitasvitae
šæļø
-
edhelas
my next question would be "what is the actual limit before we see some availability issue on status.facebook.com" :p
-
jonasā
I have that one file somewhere which is like 4k on my disk but is effectively several hundred GBs of zeroesā¦
-
Ge0rG
jonasā: https://gitlab.com/xsf/xeps/-/merge_requests/35
-
jonasā
I do like to use it to stresstest URL resolving bots :)
-
Ge0rG
jonasā: luckily traffic is free, eh?
-
jonasā
Ge0rG, can you rebase on current master/main first please?
-
jonasā
Ge0rG, itās not, but the bots usually die quickly
-
edhelas
for Movim I do have something like that, only for pictures, it's generated by the sender, and only limited to a few Mb
-
Ge0rG
jonasā: rebases & repushed
-
jonasā
Ge0rG, also fun is the same thing but with <!DOCTYPE html>\n<html><title> in front of it :>
-
Neustradamus
Memberbot does not work, impossible to start
-
mathieui
seems to work fine here
-
moparisthebest
Neustradamus, is it just not responding or?
-
Zash
s2s seems to be working fine from what I can tell
-
Neustradamus
Now it is good
-
Neustradamus
There was 2 connections before, now only one.
-
Zash
Oh, not using jabber.org?
-
Neustradamus
This problem has been solved, I think with a change in OpenSSL. But it is not the solution to do not migrate completely to Prosody...
-
Ge0rG
jonasā: thanks for merging!
-
Ge0rG
Looks like I missed adding AV to the categories list in the intro. Also should find a better name for "feature providers"
-
Ge0rG
Maybe just "specifications"?