XSF Discussion - 2020-11-10

  1. mdosch

    > Memberbot is online now for our 2020 elections. Great applicants again this year Is there any documentation how to use the memberbot? I failed to find it. 😔

  2. Zash

    Say "hello" or something to it

  3. mdosch

    xmpp:memberbot@xmpp.org is not replying to 'help' or 'hello'.

  4. MattJ

    Then poke Alex and make sure he has your up-to-date JID

  5. MattJ

    and that your s2s is working :)

  6. larma

    jonas’, regarding opengraph and phishing: https://www.der-postillon.com/2020/05/reichelt-twitter.html (sorry, German article)

  7. jonas’

    also satire

  8. jonas’

    I don’t like the postillons style, so I’ll just not click that, sorry

  9. Alex

    mdosch, please send me your prefereed Jid for voting and I will verify, or should I just take it from your membership application?

  10. mdosch

    Alex: martin@mdosch.de

  11. mdosch

    Thanks :)

  12. MattJ

    I definitely agree that sender/server-provided link previews are the way to go

  13. jonas’

    I think there is a huge difference between sender and server

  14. Zash

    Why not a bot?

  15. jonas’

    same thing as server

  16. Zash

    Why not random anonymous users?!

  17. MattJ

    I mean to cover any form of "the preview data is embedded in the message"

  18. MattJ

    Although intuitively it seems wrong (trusting information provided by another party), generating the preview on the recipient side only adds problems and doesn't solve any of the possible "attacks"

  19. Holger

    Alex: While you're at it 🙂 holger@jabber.fu-berlin.de

  20. MattJ

    If the link is malicious it can easily serve different content to different requests, e.g. if it sees an XMPP client's user-agent instead of a browser

  21. MattJ

    Meanwhile it leaks activity, your network address, and other information to the web server behind the link, without user action

  22. Alex

    adeed both Jids, can you try again?

  23. mdosch

    >10.11.20 16:35:14 - Subscription received from memberbot@xmpp.org Alex: Thanks!

  24. larma

    jonas’: the article is about how they maliciously changed link preview by updating opengraph data after someone shared one of their articles on twitter.

  25. jonas’

    MattJ, it does solve the case where an attacker just wants to prank you

  26. jonas’

    take $urlToOffensivePictureInFullscreen, attach wrong preview, done.

  27. jonas’

    that attack does not need control over the webserver ("serve different content to different users")

  28. MattJ

    Agree, but they could just provide the link without a preview too and you'd probably open it anyway if you trust them :)

  29. Zash

    Solution in search of a problem: What if, the XMPP server offers a caching HTTP proxy to its users?

  30. MattJ

    and the same thing can be done in the recipient-generates-preview world

  31. jonas’

    MattJ, they can’t if previews are generated locally.

  32. Zash

    Credentials via XEP-0215 or somesuch

  33. MattJ

    so it doesn't fix anything

  34. jonas’

    how does a recipient-generated preview not fix that case?

  35. MattJ

    Because they can provide a URL that does what I described above

  36. Zash

    How about *everyone* generates their own preview, then we compare?

  37. larma

    Zash, consider e2ee, you'd leak message content to the server if you use a server-provided proxy

  38. Zash

    If you do HTTPS over SOCKS5 it leaks hostname to the XMPP server in exchange for not leaking your own IP to the proxy target.

  39. Zash

    So. Dunno, tradeoffs.

  40. larma

    yeah, but sender provided link previews do not leak anything...

  41. Zash

    Also, trust the server, the server is good!! ;)

  42. larma

    https://www.mysk.blog/2020/10/25/link-previews/ (lists which messaging apps do what, in case someone is interested)

  43. Ge0rG

    jonas’: I wanted to do some editing of CS'21, how long are you still available to merge a PR?

  44. jonas’

    Ge0rG, today?

  45. jonas’

    30 minutes probably

  46. Ge0rG

    jonas’: yes, thanks

  47. Ge0rG just realized there were no additional votes on ibr-token yet. Wanted to add it to Future Development.

  48. Holger

    Alex: Works for me as well, thank you.

  49. Alex


  50. Ge0rG

    jonas’: are you opposed to have Extended Channel Search (XEP-0433) as "specification of note" in IM?

  51. jonas’

    Ge0rG, no, sgtm

  52. wurstsalat

    larma: thanks for that comprehensive link!

  53. edhelas

    > The moment the link was sent, several Facebook servers immediately started downloading the file from our server. Since it wasn’t just one server, that large 2.6 GB file was downloaded several times. In total, approximately 24.7 GB of data was downloaded from our server by Facebook servers.

  54. edhelas

    damn, they really have bandwidth and space available

  55. vanitasvitae


  56. vanitasvitae


  57. edhelas

    my next question would be "what is the actual limit before we see some availability issue on status.facebook.com" :p

  58. jonas’

    I have that one file somewhere which is like 4k on my disk but is effectively several hundred GBs of zeroes…

  59. Ge0rG

    jonas’: https://gitlab.com/xsf/xeps/-/merge_requests/35

  60. jonas’

    I do like to use it to stresstest URL resolving bots :)

  61. Ge0rG

    jonas’: luckily traffic is free, eh?

  62. jonas’

    Ge0rG, can you rebase on current master/main first please?

  63. jonas’

    Ge0rG, it’s not, but the bots usually die quickly

  64. edhelas

    for Movim I do have something like that, only for pictures, it's generated by the sender, and only limited to a few Mb

  65. Ge0rG

    jonas’: rebases & repushed

  66. jonas’

    Ge0rG, also fun is the same thing but with <!DOCTYPE html>\n<html><title> in front of it :>

  67. Neustradamus

    Memberbot does not work, impossible to start

  68. mathieui

    seems to work fine here

  69. moparisthebest

    Neustradamus, is it just not responding or?

  70. Zash

    s2s seems to be working fine from what I can tell

  71. Neustradamus

    Now it is good

  72. Neustradamus

    There was 2 connections before, now only one.

  73. Zash

    Oh, not using jabber.org?

  74. Neustradamus

    This problem has been solved, I think with a change in OpenSSL. But it is not the solution to do not migrate completely to Prosody...

  75. Ge0rG

    jonas’: thanks for merging!

  76. Ge0rG

    Looks like I missed adding AV to the categories list in the intro. Also should find a better name for "feature providers"

  77. Ge0rG

    Maybe just "specifications"?