mdosch> Memberbot is online now for our 2020 elections. Great applicants again this year
Is there any documentation how to use the memberbot? I failed to find it. 😔
ZashSay "hello" or something to it
mdoschxmpp:firstname.lastname@example.org is not replying to 'help' or 'hello'.
MattJThen poke Alex and make sure he has your up-to-date JID
MattJand that your s2s is working :)
larmajonas’, regarding opengraph and phishing: https://www.der-postillon.com/2020/05/reichelt-twitter.html (sorry, German article)
jonas’I don’t like the postillons style, so I’ll just not click that, sorry
Alexmdosch, please send me your prefereed Jid for voting and I will verify, or should I just take it from your membership application?
MattJI definitely agree that sender/server-provided link previews are the way to go
jonas’I think there is a huge difference between sender and server
ZashWhy not a bot?
jonas’same thing as server
ZashWhy not random anonymous users?!
MattJI mean to cover any form of "the preview data is embedded in the message"
MattJAlthough intuitively it seems wrong (trusting information provided by another party), generating the preview on the recipient side only adds problems and doesn't solve any of the possible "attacks"
HolgerAlex: While you're at it 🙂
MattJIf the link is malicious it can easily serve different content to different requests, e.g. if it sees an XMPP client's user-agent instead of a browser
MattJMeanwhile it leaks activity, your network address, and other information to the web server behind the link, without user action
Alexadeed both Jids, can you try again?
mdosch>10.11.20 16:35:14 - Subscription received from email@example.com
larmajonas’: the article is about how they maliciously changed link preview by updating opengraph data after someone shared one of their articles on twitter.
jonas’MattJ, it does solve the case where an attacker just wants to prank you
jonas’that attack does not need control over the webserver ("serve different content to different users")
MattJAgree, but they could just provide the link without a preview too and you'd probably open it anyway if you trust them :)
ZashSolution in search of a problem: What if, the XMPP server offers a caching HTTP proxy to its users?
Steve Killehas left
MattJand the same thing can be done in the recipient-generates-preview world
jonas’MattJ, they can’t if previews are generated locally.
ZashCredentials via XEP-0215 or somesuch
MattJso it doesn't fix anything
jonas’how does a recipient-generated preview not fix that case?
MattJBecause they can provide a URL that does what I described above
ZashHow about *everyone* generates their own preview, then we compare?
Steve Killehas joined
larmaZash, consider e2ee, you'd leak message content to the server if you use a server-provided proxy
ZashIf you do HTTPS over SOCKS5 it leaks hostname to the XMPP server in exchange for not leaking your own IP to the proxy target.
ZashSo. Dunno, tradeoffs.
larmayeah, but sender provided link previews do not leak anything...
ZashAlso, trust the server, the server is good!! ;)
larmahttps://www.mysk.blog/2020/10/25/link-previews/ (lists which messaging apps do what, in case someone is interested)
Ge0rGjonas’: I wanted to do some editing of CS'21, how long are you still available to merge a PR?
jonas’30 minutes probably
Ge0rGjonas’: yes, thanks
Ge0rGjust realized there were no additional votes on ibr-token yet. Wanted to add it to Future Development.
Steve Killehas left
HolgerAlex: Works for me as well, thank you.
Steve Killehas joined
Ge0rGjonas’: are you opposed to have Extended Channel Search (XEP-0433) as "specification of note" in IM?
jonas’Ge0rG, no, sgtm
wurstsalatlarma: thanks for that comprehensive link!
edhelas> The moment the link was sent, several Facebook servers immediately started downloading the file from our server. Since it wasn’t just one server, that large 2.6 GB file was downloaded several times. In total, approximately 24.7 GB of data was downloaded from our server by Facebook servers.
edhelasdamn, they really have bandwidth and space available
edhelasmy next question would be "what is the actual limit before we see some availability issue on status.facebook.com" :p
jonas’I have that one file somewhere which is like 4k on my disk but is effectively several hundred GBs of zeroes…