XSF Discussion - 2020-11-13


  1. Andrzej has left

  2. emus has left

  3. Andrzej has joined

  4. intosi has left

  5. Andrzej has left

  6. intosi has joined

  7. Calvin has left

  8. Vaulor has left

  9. alameyo has joined

  10. intosi has left

  11. Shell has joined

  12. Wojtek has left

  13. alameyo has left

  14. mukt2 has joined

  15. intosi has joined

  16. lskdjf has left

  17. Calvin has joined

  18. mukt2 has left

  19. intosi has left

  20. alameyo has joined

  21. intosi has joined

  22. govanify has left

  23. govanify has joined

  24. Andrzej has joined

  25. Arne has left

  26. Arne has joined

  27. Andrzej has left

  28. peetah has left

  29. peetah has joined

  30. Calvin has left

  31. Calvin has joined

  32. adiaholic has joined

  33. mimi89999 has left

  34. adiaholic has left

  35. adiaholic has joined

  36. Calvin has left

  37. intosi has left

  38. Andrzej has joined

  39. NosoyHacker404 has left

  40. NosoyHacker404 has joined

  41. wladmis has left

  42. intosi has joined

  43. wladmis has joined

  44. lorddavidiii has joined

  45. Andrzej has left

  46. j.r has left

  47. j.r has joined

  48. DebXWoody has joined

  49. j.r has left

  50. intosi has left

  51. j.r has joined

  52. j.r has left

  53. j.r has joined

  54. j.r has left

  55. j.r has joined

  56. Andrzej has joined

  57. Yagiza has joined

  58. j.r has left

  59. j.r has joined

  60. Mikaela has joined

  61. Andrzej has left

  62. intosi has joined

  63. marc0s has joined

  64. debacle has joined

  65. Vaulor has joined

  66. wladmis has left

  67. wladmis has joined

  68. pasdesushi has joined

  69. Andrzej has joined

  70. paul has joined

  71. wladmis has left

  72. Andrzej has left

  73. Tobias has joined

  74. govanify has left

  75. govanify has joined

  76. Andrzej has joined

  77. nyco has joined

  78. Andrzej has left

  79. Alex has joined

  80. nyco has left

  81. nyco has joined

  82. floretta has left

  83. nyco has left

  84. nyco has joined

  85. Seve has left

  86. Vaulor has left

  87. nyco has left

  88. nyco has joined

  89. mimi89999 has joined

  90. lorddavidiii has left

  91. DebXWoody has left

  92. nyco has left

  93. adiaholic has left

  94. adiaholic has joined

  95. arne has joined

  96. Andrzej has joined

  97. Arne has left

  98. Arne has joined

  99. pasdesushi has left

  100. DebXWoody has joined

  101. adiaholic has left

  102. lorddavidiii has joined

  103. adiaholic has joined

  104. alex-a-soto has left

  105. alex-a-soto has joined

  106. Andrzej has left

  107. arne has left

  108. nyco has joined

  109. SamWhited has left

  110. pasdesushi has joined

  111. Zash has joined

  112. nyco has left

  113. SamWhited has joined

  114. lorddavidiii has left

  115. LNJ has joined

  116. goffi has joined

  117. lorddavidiii has joined

  118. david has left

  119. david has joined

  120. Andrzej has joined

  121. Vaulor has joined

  122. Seve has joined

  123. Andrzej has left

  124. peetah has left

  125. peetah has joined

  126. lorddavidiii has left

  127. nyco has joined

  128. goffi has left

  129. Andrzej has joined

  130. goffi has joined

  131. nyco has left

  132. nyco has joined

  133. lskdjf has joined

  134. nyco has left

  135. nyco has joined

  136. lorddavidiii has joined

  137. nyco has left

  138. lorddavidiii has left

  139. lorddavidiii has joined

  140. nyco has joined

  141. nyco has left

  142. DebXWoody has left

  143. Yagiza has left

  144. Yagiza has joined

  145. DebXWoody has joined

  146. DebXWoody has left

  147. DebXWoody has joined

  148. DebXWoody has left

  149. DebXWoody has joined

  150. winfried has left

  151. winfried has joined

  152. nyco has joined

  153. pasdesushi has left

  154. pasdesushi has joined

  155. lorddavidiii has left

  156. nyco has left

  157. nyco has joined

  158. mukt2 has joined

  159. APach has left

  160. nyco has left

  161. debacle has left

  162. Dele Olajide has joined

  163. lorddavidiii has joined

  164. goffi has left

  165. APach has joined

  166. sonny has left

  167. pasdesushi has left

  168. pasdesushi has joined

  169. nad287 has joined

  170. lorddavidiii has left

  171. nad287 has left

  172. lorddavidiii has joined

  173. Neustradamus has left

  174. Neustradamus has joined

  175. edhelas has left

  176. mukt2 has left

  177. pasdesushi has left

  178. edhelas has joined

  179. pasdesushi has joined

  180. nad287 has joined

  181. Steve Kille has left

  182. mukt2 has joined

  183. debacle has joined

  184. Steve Kille has joined

  185. Arne has left

  186. Arne has joined

  187. alex-a-soto has left

  188. alex-a-soto has joined

  189. pasdesushi has left

  190. pasdesushi has joined

  191. pasdesushi has left

  192. pasdesushi has joined

  193. Dele Olajide has left

  194. Dele Olajide has joined

  195. neshtaxmpp has left

  196. Dele Olajide has left

  197. raghavgururajan has left

  198. adiaholic has left

  199. adiaholic has joined

  200. Dele Olajide has joined

  201. Dele Olajide has left

  202. pasdesushi has left

  203. pasdesushi has joined

  204. nyco has joined

  205. alex-a-soto has left

  206. alex-a-soto has joined

  207. pasdesushi has left

  208. Dele Olajide has joined

  209. Dele Olajide has left

  210. neshtaxmpp has joined

  211. intosi has left

  212. andrey.g has joined

  213. intosi has joined

  214. krauq has left

  215. krauq has joined

  216. goffi has joined

  217. lorddavidiii has left

  218. lorddavidiii has joined

  219. Andrzej has left

  220. APach has left

  221. emus has joined

  222. APach has joined

  223. Calvin has joined

  224. adiaholic has left

  225. adiaholic has joined

  226. APach has left

  227. Andrzej has joined

  228. APach has joined

  229. Lance has left

  230. APach has left

  231. NosoyHacker404 has left

  232. krauq has left

  233. krauq has joined

  234. adiaholic has left

  235. adiaholic has joined

  236. deuill has joined

  237. wurstsalat has left

  238. wurstsalat has joined

  239. floretta has joined

  240. adiaholic has left

  241. adiaholic has joined

  242. APach has joined

  243. NosoyHacker404 has joined

  244. deuill has left

  245. sonny has joined

  246. goffi has left

  247. speedball has joined

  248. lorddavidiii has left

  249. wladmis has joined

  250. speedball has left

  251. adiaholic has left

  252. adiaholic has joined

  253. lorddavidiii has joined

  254. alex-a-soto has left

  255. alex-a-soto has joined

  256. APach has left

  257. Lance has joined

  258. nad287 has left

  259. lorddavidiii has left

  260. adiaholic has left

  261. adiaholic has joined

  262. j.r has left

  263. j.r has joined

  264. Daniel

    Zash, what versions of prosody announce muc#stable_id?

  265. Lance has left

  266. Zash

    Daniel, looks like >= 0.10.1

  267. Daniel

    ok cool thank. so i should be able to find one in the wild

  268. APach has joined

  269. mdosch

    !version mdosch.de

  270. mdosch

    Ha, no HAL.

  271. Zash

    Should be possible to locate one or two .. :)

  272. Dele Olajide has joined

  273. Wojtek has joined

  274. Nekit has left

  275. Nekit has joined

  276. lorddavidiii has joined

  277. Dele Olajide has left

  278. neshtaxmpp has left

  279. alacer@blabber.im has joined

  280. alacer@blabber.im has left

  281. lorddavidiii has left

  282. lorddavidiii has joined

  283. Lance has joined

  284. stpeter has joined

  285. stpeter has left

  286. Steve Kille has left

  287. lovetox has joined

  288. Steve Kille has joined

  289. Shell has left

  290. jcbrand has left

  291. andrey.g has left

  292. Al@cer has joined

  293. Al@cer has left

  294. Al@cer has joined

  295. jcbrand has joined

  296. mukt2 has left

  297. mukt2 has joined

  298. j.r has left

  299. neshtaxmpp has joined

  300. Al@cer has left

  301. Wojtek has left

  302. Wojtek has joined

  303. pasdesushi has joined

  304. LNJ has left

  305. LNJ has joined

  306. adiaholic has left

  307. adiaholic has joined

  308. lorddavidiii has left

  309. mukt2 has left

  310. intosi has left

  311. mukt2 has joined

  312. intosi has joined

  313. intosi has left

  314. adiaholic has left

  315. adiaholic has joined

  316. pasdesushi has left

  317. pasdesushi has joined

  318. pasdesushi has left

  319. pasdesushi has joined

  320. ralphm has left

  321. ralphm has joined

  322. ralphm

    I've been contemplating https://letsencrypt.org/2020/11/06/own-two-feet.html and its impact on the XMPP ecosystem. I haven't yet looked at certificates being used on public servers, but I'd expect a fair number of them using LE. While browsers already (Firefox) or soon (Chrome) ship with their own bundle of root certs, making it viable to keep working on Android < 7.1, this probably doesn't hold for XMPP clients? Thoughts?

  323. Zash

    I seem to remember that Pidgin ships with its own bundle, so it's certainly possible.

  324. murabito has joined

  325. alameyo has left

  326. alameyo has joined

  327. Ge0rG

    > run a banner asking your Android users on older OSes to install Firefox Look, it's as easy as that!

  328. Ge0rG

    ralphm: that's an important problem. However, I can imagine that most Android xmpp clients will support something like my https://github.com/ge0rg/MemorizingTrustManager if they predate the wide availability of LE

  329. Ge0rG

    Because before LE, most small servers were running self signed or otherwise 'untrusted' certificates

  330. intosi has joined

  331. mukt2 has left

  332. pasdesushi has left

  333. Zash

    Out of 578 s2s connections to this server, 526 seem to use LE

  334. pasdesushi has joined

  335. pasdesushi has left

  336. Zash

    to+from, there'll be some dupes

  337. pasdesushi has joined

  338. Ge0rG

    Zash: aren't you blocking invalid certificates?

  339. Zash

    Looks like 90-95%

  340. raghavgururajan has joined

  341. Zash

    Looks like 90-95% Let's Encrypt

  342. Zash

    Checked prosody.im too

  343. murabito has left

  344. Zash

    Ge0rG, on my personal server, yes. Awkward for public MUC hosts where you might try to join to get help with your broken TLS settings or code or whatever.

  345. nad287 has joined

  346. Ge0rG

    Indeed. I'm also not blocking on yax.im, because who knows all the contacts of my users

  347. mdosch

    That would be like mod_block_strangers on abuse contact addresses…

  348. Link Mauve

    I once made the difficult decision to block all unencrypted s2s, which closed about 10% of my total s2s amounts.

  349. Link Mauve

    That was like two or three years ago.

  350. Link Mauve

    Blocking insecure certs would be a similarly difficult decision.

  351. mukt2 has joined

  352. intosi has left

  353. ralphm

    Sure, but in this case, we're not actually talking about insecure certs. Just that clients that use the set of root certs provided by the OS are going to have issues if those don't include the LE root cert. Which, according to this post, is around 33% of Android devices.

  354. DebXWoody has left

  355. ralphm

    And I'm also not sure that it is a good idea for clients to do have their own, by the way. Deciding what certs are ok and which aren't, is hard. Mozilla has some good documentation on this.

  356. Zash

    Certpocalypse!

  357. emus

    Sorry, may one break down the issue to me? I read the article and I understood that old android cannot handle their certs anymore with update, which then will also affect xmpp servers?

  358. Zash

    Least terrible is probably to pick an existing bundle, e.g. Mozillas.

  359. Zash

    Possibly a subset of it, if you're daring.

  360. ralphm

    Conversations has an option to distrust the OS certs, but I'm not sure if the manual approval stuff also works if you have this disabled (the default).

  361. ralphm

    Zash: well, only if you also correctly interpret the Trust Bits. I.e. their collections has certs to explicitly *not* trust.

  362. ralphm

    emus: I'm not too worried about the server part, but rather clients not being able to verify the certs the server is offering.

  363. ralphm

    emus: i.e. if indeed 90+% of servers use Let's Encrypt, with any manual intervention, those will start serving up certificates signed by the new root (indirectly), without cross signing by a root cert that is in the OS trust store on Android devices < 7.1.

  364. ralphm

    Starting in January

  365. papatutuwawa has joined

  366. marc has left

  367. marc has joined

  368. adiaholic has left

  369. adiaholic has joined

  370. intosi has joined

  371. Ge0rG

    There are also other related problems, like older androids not supporting TLS 1.2 by default

  372. pasdesushi has left

  373. pasdesushi has joined

  374. ralphm

    TLS 1.2 is supported from Android 5 and up, no?

  375. Ge0rG

    ralphm: supported from 4.1, enabled by default from 5

  376. ralphm

    According the table in the blog post, there are only 5.9% of devices on Android <5, so I'm a bit less worried about that.

  377. Ge0rG

    ralphm: how many android xmpp clients are there in the wild?

  378. ralphm

    No idea, TBH

  379. Ge0rG

    I only use one, and I know it'll gracefully degrade with certificates not signed by a trusted root. I'm sure there will be more significant actual compatibility problems.

  380. pasdesushi has left

  381. pasdesushi has joined

  382. ralphm

    Ge0rG: I hope you are right

  383. j.r has joined

  384. DebXWoody has joined

  385. Zash

    Yeah, with Debian stable shipping with TLS < 1.2 disabled people should have noticed that by now.

  386. wladmis has left

  387. ralphm

    TLS < 1.2 should have been obliterated by now.

  388. wladmis has joined

  389. Ge0rG

    Which is one of the reasons I still haven't upgraded my server from oldstable. I have many Russian users on old Android phones

  390. intosi has left

  391. mdosch

    Do you have stats how many percent use tls < 1.2?

  392. ralphm

    I hope you understand that leaves them open to an increasing set of vulnerabilities, though.

  393. Arne

    you should add 1.3 as standard and below as possible Ge0rG

  394. Arne

    did you

  395. Arne

    did you?

  396. Zash

    TLS implementations generally pick the highest mutually supported version

  397. ralphm

    I'm sure that'll go over nicely in Russia :-D

  398. Andrzej has left

  399. Arne

    mh maybe it's in postfix or somewhere I set this Zash

  400. Arne

    mh maybe it's in postfix or somewhere I've seen this Zash

  401. Arne

    but no matter, 1.3 should always be added today

  402. Ge0rG

    Arne: no, because oldstable doesn't do 1.3

  403. Arne

    but can't you upgrade and still allow below 1.2?

  404. tigran has joined

  405. Zash

    Yes

  406. Ge0rG

    I suppose it should be possible to configure to support a superset of the oldstable ciphers

  407. Zash

    Some lines in a config file to poke

  408. mdosch

    See prosody@

  409. pasdesushi has left

  410. Ge0rG

    ralphm: I'm not sure how I'm leaving owners of old phones leaving open to vulnerabilities by not locking them out

  411. pasdesushi has joined

  412. mukt2 has left

  413. Arne

    in prosody it's an easy setting

  414. ralphm

    Ge0rG: I understand the dilemma.

  415. Arne

    like this maybe: https://prosody.im/doc/advanced_ssl_config

  416. Zash

    Noooooooooooooooo

  417. mdosch

    But if everything keeps compatibility for ancient and insecure stuff some won't ever update.

  418. mdosch

    Also I hate to throw away working devices due to missing SW support, too. Such a waste of ressources…

  419. tigran has left

  420. mdosch

    Zash: This site is legit now. Otherwise it would still be red blinking text on yellow ground. :D

  421. Arne

    oh wait it's a wrong site?

  422. Ge0rG

    mdosch: I'm not the patch police

  423. Zash

    Don't make me bring back Comic Sans

  424. mdosch

    I understand. But do you want to keep stretch forever until the last russian Android is updated?

  425. mdosch forgot about comic sans on that site…

  426. Ge0rG

    At least not in my leasure time 😁😁😁

  427. mdosch

    Probably some self defense mechanism erased the memory.

  428. Ge0rG

    Why can you do big red comic sans on the ssl page but not on the IBR page?

  429. adiaholic has left

  430. adiaholic has joined

  431. Ge0rG

    But I think I've got most of the accidentally IBR servers down by now. The spam I'm still seeing mostly comes from large public servers

  432. floretta has left

  433. intosi has joined

  434. floretta has joined

  435. emus

    > emus: i.e. if indeed 90+% of servers use Let's Encrypt, with any manual intervention, those will start serving up certificates signed by the new root (indirectly), without cross signing by a root cert that is in the OS trust store on Android devices < 7.1. Thanks for clarifying. As I see no other way I can help: Anything you want/should announce through the newsletter?

  436. inky has left

  437. Zash

    More acute cases of people shooting their entire security away from following random blogs that used that page as source.

  438. mukt2 has joined

  439. pasdesushi has left

  440. pasdesushi has joined

  441. Ge0rG

    emus: users can't do much, server operators should add that "alternate" flag to their acme client. Client developers should bundle the new root

  442. pasdesushi has left

  443. pasdesushi has joined

  444. pasdesushi has left

  445. pasdesushi has joined

  446. pasdesushi has left

  447. pasdesushi has joined

  448. pasdesushi has left

  449. pasdesushi has joined

  450. peetah has left

  451. peetah has joined

  452. pasdesushi has left

  453. pasdesushi has joined

  454. alameyo has left

  455. Arne

    actually I set it up pretty good this way

  456. ralphm

    Zash: shouldn't that be incentive to make the page better? What is the default minimal version that ships with Prosody now?

  457. Andrzej has joined

  458. Zash

    ralphm, you mean replace the whole page with "the defaults are fine, no touchy" ? sure, that'd be an improvement

  459. ralphm

    Is the default TLS 1.2+ ?

  460. Zash

    ralphm, still TLS 1.0+, but distros may make that stricter. Likely be changed to 1.0+ in the next major version.

  461. alameyo has joined

  462. intosi has left

  463. ralphm has left

  464. ralphm has joined

  465. mdosch

    1.2+ you mean?

  466. Zash

    Right, yes, 1.2+

  467. Ge0rG

    There is also a difference between setting up a new server and upgrading an old one. You can get away with strict settings on a new box. People won't be able to register with their old clients.

  468. Ge0rG

    I can't just lock out my users from one day to the other

  469. mukt2 has left

  470. mukt2 has joined

  471. ralphm has left

  472. ralphm has joined

  473. intosi has joined

  474. Andrzej has left

  475. mukt2 has left

  476. mukt2 has joined

  477. intosi has left

  478. Andrzej has joined

  479. floretta has left

  480. DebXWoody has left

  481. Shell has joined

  482. floretta has joined

  483. jcbrand has left

  484. DebXWoody has joined

  485. DebXWoody has left

  486. DebXWoody has joined

  487. mukt2 has left

  488. mukt2 has joined

  489. emus has left

  490. Andrzej has left

  491. werdan has joined

  492. intosi has joined

  493. strypey has joined

  494. strypey has left

  495. inky has joined

  496. papatutuwawa has left

  497. lovetox has left

  498. intosi has left

  499. strypey has joined

  500. strypey has left

  501. mukt2 has left

  502. Yagiza has left

  503. strypey has joined

  504. strypey has left

  505. Andrzej has joined

  506. lovetox has joined

  507. j.r has left

  508. werdan has left

  509. intosi has joined

  510. werdan has joined

  511. emus has joined

  512. j.r has joined

  513. Andrzej has left

  514. intosi has left

  515. Andrzej has joined

  516. Alex has left

  517. Andrzej has left

  518. Andrzej has joined

  519. Mikaela has left

  520. emus

    > emus: users can't do much, server operators should add that "alternate" flag to their acme client. Client developers should bundle the new root But then I guess they may read the newsletter^^

  521. lovetox has left

  522. Andrzej has left

  523. emus

    But wait - to get it correctly: The problem are actually the user devices, which are more than outdated, right? So the issue is a general one and LE calls server maintainers to ask their users to upgrade (to another closed source device which will be outdated soon)?

  524. intosi has joined

  525. floretta has left

  526. lorddavidiii has joined

  527. nad287 has left

  528. intosi has left

  529. Andrzej has joined

  530. floretta has joined

  531. andrey.g has joined

  532. pasdesushi has left

  533. pasdesushi has joined

  534. intosi has joined

  535. j.r has left

  536. pasdesushi has left

  537. pasdesushi has joined

  538. Andrzej has left

  539. Andrzej has joined

  540. pasdesushi has left

  541. pasdesushi has joined

  542. ralphm

    Going forward this is less of a problem. The LE X1 root expires in 2035.

  543. ralphm

    Also, how open the platform is doesn't say anything about its continued future updates.

  544. werdan has left

  545. moparisthebest

    > I can't just lock out my users from one day to the other

  546. moparisthebest

    I mean if all the cellphone providers in the USA can why not you

  547. ralphm

    Yup, providers are turning off 2G GSM here in Europe, too.

  548. moparisthebest

    They just announced they are turning off 3g here, in January

  549. intosi has left

  550. j.r has joined

  551. emus

    But wait, but was my statement kinda correct?

  552. Tobias has left

  553. lorddavidiii has left

  554. Andrzej has left

  555. Wojtek has left

  556. Andrzej has joined

  557. intosi has joined

  558. arc has left

  559. arc has joined

  560. alex-a-soto has left

  561. alex-a-soto has joined

  562. intosi has left

  563. Andrzej has left