XSF Discussion - 2020-11-10

> Memberbot is online now for our 2020 elections. Great applicants again this year Is there any documentation how to use the memberbot? I failed to find it. 😔

Say "hello" or something to it

xmpp:memberbot@xmpp.org is not replying to 'help' or 'hello'.

Then poke Alex and make sure he has your up-to-date JID

and that your s2s is working :)

jonas’, regarding opengraph and phishing: https://www.der-postillon.com/2020/05/reichelt-twitter.html (sorry, German article)

also satire

I don’t like the postillons style, so I’ll just not click that, sorry

mdosch, please send me your prefereed Jid for voting and I will verify, or should I just take it from your membership application?

Alex: martin@mdosch.de

Thanks :)

I definitely agree that sender/server-provided link previews are the way to go

I think there is a huge difference between sender and server

Why not a bot?

same thing as server

Why not random anonymous users?!

I mean to cover any form of "the preview data is embedded in the message"

Although intuitively it seems wrong (trusting information provided by another party), generating the preview on the recipient side only adds problems and doesn't solve any of the possible "attacks"

Alex: While you're at it 🙂 holger@jabber.fu-berlin.de

If the link is malicious it can easily serve different content to different requests, e.g. if it sees an XMPP client's user-agent instead of a browser

Meanwhile it leaks activity, your network address, and other information to the web server behind the link, without user action

adeed both Jids, can you try again?

>10.11.20 16:35:14 - Subscription received from memberbot@xmpp.org Alex: Thanks!

jonas’: the article is about how they maliciously changed link preview by updating opengraph data after someone shared one of their articles on twitter.

MattJ, it does solve the case where an attacker just wants to prank you

take $urlToOffensivePictureInFullscreen, attach wrong preview, done.

that attack does not need control over the webserver ("serve different content to different users")

Agree, but they could just provide the link without a preview too and you'd probably open it anyway if you trust them :)

Solution in search of a problem: What if, the XMPP server offers a caching HTTP proxy to its users?

and the same thing can be done in the recipient-generates-preview world

MattJ, they can’t if previews are generated locally.

Credentials via XEP-0215 or somesuch

so it doesn't fix anything

how does a recipient-generated preview not fix that case?

Because they can provide a URL that does what I described above

How about *everyone* generates their own preview, then we compare?

Zash, consider e2ee, you'd leak message content to the server if you use a server-provided proxy

If you do HTTPS over SOCKS5 it leaks hostname to the XMPP server in exchange for not leaking your own IP to the proxy target.

So. Dunno, tradeoffs.

yeah, but sender provided link previews do not leak anything...

Also, trust the server, the server is good!! ;)

https://www.mysk.blog/2020/10/25/link-previews/ (lists which messaging apps do what, in case someone is interested)

jonas’: I wanted to do some editing of CS'21, how long are you still available to merge a PR?

Ge0rG, today?

30 minutes probably

jonas’: yes, thanks

Alex: Works for me as well, thank you.

👍

jonas’: are you opposed to have Extended Channel Search (XEP-0433) as "specification of note" in IM?

Ge0rG, no, sgtm

larma: thanks for that comprehensive link!

> The moment the link was sent, several Facebook servers immediately started downloading the file from our server. Since it wasn’t just one server, that large 2.6 GB file was downloaded several times. In total, approximately 24.7 GB of data was downloaded from our server by Facebook servers.

damn, they really have bandwidth and space available

😀

🍿️

my next question would be "what is the actual limit before we see some availability issue on status.facebook.com" :p

I have that one file somewhere which is like 4k on my disk but is effectively several hundred GBs of zeroes…

jonas’: https://gitlab.com/xsf/xeps/-/merge_requests/35

I do like to use it to stresstest URL resolving bots :)

jonas’: luckily traffic is free, eh?

Ge0rG, can you rebase on current master/main first please?

Ge0rG, it’s not, but the bots usually die quickly

for Movim I do have something like that, only for pictures, it's generated by the sender, and only limited to a few Mb

jonas’: rebases & repushed

Ge0rG, also fun is the same thing but with <!DOCTYPE html>\n<html><title> in front of it :>

Memberbot does not work, impossible to start

seems to work fine here

Neustradamus, is it just not responding or?

s2s seems to be working fine from what I can tell

Now it is good

There was 2 connections before, now only one.

Oh, not using jabber.org?

This problem has been solved, I think with a change in OpenSSL. But it is not the solution to do not migrate completely to Prosody...

jonas’: thanks for merging!

Looks like I missed adding AV to the categories list in the intro. Also should find a better name for "feature providers"

Maybe just "specifications"?