> Memberbot is online now for our 2020 elections. Great applicants again this year
Is there any documentation how to use the memberbot? I failed to find it. 😔
Zash
Say "hello" or something to it
lskdjfhas left
mdosch
xmpp:memberbot@xmpp.org is not replying to 'help' or 'hello'.
neshtaxmpphas left
MattJ
Then poke Alex and make sure he has your up-to-date JID
Arnehas joined
MattJ
and that your s2s is working :)
larma
jonas’, regarding opengraph and phishing: https://www.der-postillon.com/2020/05/reichelt-twitter.html (sorry, German article)
jonas’
also satire
jonas’
I don’t like the postillons style, so I’ll just not click that, sorry
Alex
mdosch, please send me your prefereed Jid for voting and I will verify, or should I just take it from your membership application?
Wojtekhas joined
mdosch
Alex: martin@mdosch.de
mdosch
Thanks :)
MattJ
I definitely agree that sender/server-provided link previews are the way to go
jonas’
I think there is a huge difference between sender and server
Zash
Why not a bot?
jonas’
same thing as server
Zash
Why not random anonymous users?!
MattJ
I mean to cover any form of "the preview data is embedded in the message"
MattJ
Although intuitively it seems wrong (trusting information provided by another party), generating the preview on the recipient side only adds problems and doesn't solve any of the possible "attacks"
Holger
Alex: While you're at it 🙂
holger@jabber.fu-berlin.de
MattJ
If the link is malicious it can easily serve different content to different requests, e.g. if it sees an XMPP client's user-agent instead of a browser
MattJ
Meanwhile it leaks activity, your network address, and other information to the web server behind the link, without user action
Alex
adeed both Jids, can you try again?
mdosch
>10.11.20 16:35:14 - Subscription received from memberbot@xmpp.org
Alex: Thanks!
larma
jonas’: the article is about how they maliciously changed link preview by updating opengraph data after someone shared one of their articles on twitter.
jonas’
MattJ, it does solve the case where an attacker just wants to prank you
jonas’
take $urlToOffensivePictureInFullscreen, attach wrong preview, done.
jonas’
that attack does not need control over the webserver ("serve different content to different users")
MattJ
Agree, but they could just provide the link without a preview too and you'd probably open it anyway if you trust them :)
Zash
Solution in search of a problem: What if, the XMPP server offers a caching HTTP proxy to its users?
Steve Killehas left
MattJ
and the same thing can be done in the recipient-generates-preview world
jonas’
MattJ, they can’t if previews are generated locally.
Zash
Credentials via XEP-0215 or somesuch
MattJ
so it doesn't fix anything
jonas’
how does a recipient-generated preview not fix that case?
MattJ
Because they can provide a URL that does what I described above
Zash
How about *everyone* generates their own preview, then we compare?
Steve Killehas joined
lorddavidiiihas left
larma
Zash, consider e2ee, you'd leak message content to the server if you use a server-provided proxy
lskdjfhas joined
tigranhas joined
Zash
If you do HTTPS over SOCKS5 it leaks hostname to the XMPP server in exchange for not leaking your own IP to the proxy target.
Zash
So. Dunno, tradeoffs.
larma
yeah, but sender provided link previews do not leak anything...
Zash
Also, trust the server, the server is good!! ;)
larma
https://www.mysk.blog/2020/10/25/link-previews/ (lists which messaging apps do what, in case someone is interested)
marchas left
marchas joined
lskdjfhas left
lskdjfhas joined
Ge0rG
jonas’: I wanted to do some editing of CS'21, how long are you still available to merge a PR?
jonas’
Ge0rG, today?
jonas’
30 minutes probably
Ge0rG
jonas’: yes, thanks
Ge0rGjust realized there were no additional votes on ibr-token yet. Wanted to add it to Future Development.
Steve Killehas left
Holger
Alex: Works for me as well, thank you.
Alex
👍
Steve Killehas joined
andrey.ghas joined
Ge0rG
jonas’: are you opposed to have Extended Channel Search (XEP-0433) as "specification of note" in IM?
tigranhas left
jonas’
Ge0rG, no, sgtm
stpeterhas joined
stpeterhas left
sonnyhas left
sonnyhas joined
wurstsalat
larma: thanks for that comprehensive link!
sonnyhas left
sonnyhas joined
lorddavidiiihas joined
edhelas
> The moment the link was sent, several Facebook servers immediately started downloading the file from our server. Since it wasn’t just one server, that large 2.6 GB file was downloaded several times. In total, approximately 24.7 GB of data was downloaded from our server by Facebook servers.
edhelas
damn, they really have bandwidth and space available
vanitasvitae
😀
vanitasvitae
🍿️
edhelas
my next question would be "what is the actual limit before we see some availability issue on status.facebook.com" :p
jonas’
I have that one file somewhere which is like 4k on my disk but is effectively several hundred GBs of zeroes…