XSF Discussion - 2020-11-13


  1. Andrzej has left
  2. emus has left
  3. Andrzej has joined
  4. intosi has left
  5. Andrzej has left
  6. intosi has joined
  7. Calvin has left
  8. Vaulor has left
  9. alameyo has joined
  10. intosi has left
  11. Shell has joined
  12. Wojtek has left
  13. alameyo has left
  14. mukt2 has joined
  15. intosi has joined
  16. lskdjf has left
  17. Calvin has joined
  18. mukt2 has left
  19. intosi has left
  20. alameyo has joined
  21. intosi has joined
  22. govanify has left
  23. govanify has joined
  24. Andrzej has joined
  25. Arne has left
  26. Arne has joined
  27. Andrzej has left
  28. peetah has left
  29. peetah has joined
  30. Calvin has left
  31. Calvin has joined
  32. adiaholic has joined
  33. mimi89999 has left
  34. adiaholic has left
  35. adiaholic has joined
  36. Calvin has left
  37. intosi has left
  38. Andrzej has joined
  39. NosoyHacker404 has left
  40. NosoyHacker404 has joined
  41. wladmis has left
  42. intosi has joined
  43. wladmis has joined
  44. lorddavidiii has joined
  45. Andrzej has left
  46. j.r has left
  47. j.r has joined
  48. DebXWoody has joined
  49. j.r has left
  50. intosi has left
  51. j.r has joined
  52. j.r has left
  53. j.r has joined
  54. j.r has left
  55. j.r has joined
  56. Andrzej has joined
  57. Yagiza has joined
  58. j.r has left
  59. j.r has joined
  60. Mikaela has joined
  61. Andrzej has left
  62. intosi has joined
  63. marc0s has joined
  64. debacle has joined
  65. Vaulor has joined
  66. wladmis has left
  67. wladmis has joined
  68. pasdesushi has joined
  69. Andrzej has joined
  70. paul has joined
  71. wladmis has left
  72. Andrzej has left
  73. Tobias has joined
  74. govanify has left
  75. govanify has joined
  76. Andrzej has joined
  77. nyco has joined
  78. Andrzej has left
  79. Alex has joined
  80. nyco has left
  81. nyco has joined
  82. floretta has left
  83. nyco has left
  84. nyco has joined
  85. Seve has left
  86. Vaulor has left
  87. nyco has left
  88. nyco has joined
  89. mimi89999 has joined
  90. lorddavidiii has left
  91. DebXWoody has left
  92. nyco has left
  93. adiaholic has left
  94. adiaholic has joined
  95. arne has joined
  96. Andrzej has joined
  97. Arne has left
  98. Arne has joined
  99. pasdesushi has left
  100. DebXWoody has joined
  101. adiaholic has left
  102. lorddavidiii has joined
  103. adiaholic has joined
  104. alex-a-soto has left
  105. alex-a-soto has joined
  106. Andrzej has left
  107. arne has left
  108. nyco has joined
  109. SamWhited has left
  110. pasdesushi has joined
  111. Zash has joined
  112. nyco has left
  113. SamWhited has joined
  114. lorddavidiii has left
  115. LNJ has joined
  116. goffi has joined
  117. lorddavidiii has joined
  118. david has left
  119. david has joined
  120. Andrzej has joined
  121. Vaulor has joined
  122. Seve has joined
  123. Andrzej has left
  124. peetah has left
  125. peetah has joined
  126. lorddavidiii has left
  127. nyco has joined
  128. goffi has left
  129. Andrzej has joined
  130. goffi has joined
  131. nyco has left
  132. nyco has joined
  133. lskdjf has joined
  134. nyco has left
  135. nyco has joined
  136. lorddavidiii has joined
  137. nyco has left
  138. lorddavidiii has left
  139. lorddavidiii has joined
  140. nyco has joined
  141. nyco has left
  142. DebXWoody has left
  143. Yagiza has left
  144. Yagiza has joined
  145. DebXWoody has joined
  146. DebXWoody has left
  147. DebXWoody has joined
  148. DebXWoody has left
  149. DebXWoody has joined
  150. winfried has left
  151. winfried has joined
  152. nyco has joined
  153. pasdesushi has left
  154. pasdesushi has joined
  155. lorddavidiii has left
  156. nyco has left
  157. nyco has joined
  158. mukt2 has joined
  159. APach has left
  160. nyco has left
  161. debacle has left
  162. Dele Olajide has joined
  163. lorddavidiii has joined
  164. goffi has left
  165. APach has joined
  166. sonny has left
  167. pasdesushi has left
  168. pasdesushi has joined
  169. nad287 has joined
  170. lorddavidiii has left
  171. nad287 has left
  172. lorddavidiii has joined
  173. Neustradamus has left
  174. Neustradamus has joined
  175. edhelas has left
  176. mukt2 has left
  177. pasdesushi has left
  178. edhelas has joined
  179. pasdesushi has joined
  180. nad287 has joined
  181. Steve Kille has left
  182. mukt2 has joined
  183. debacle has joined
  184. Steve Kille has joined
  185. Arne has left
  186. Arne has joined
  187. alex-a-soto has left
  188. alex-a-soto has joined
  189. pasdesushi has left
  190. pasdesushi has joined
  191. pasdesushi has left
  192. pasdesushi has joined
  193. Dele Olajide has left
  194. Dele Olajide has joined
  195. neshtaxmpp has left
  196. Dele Olajide has left
  197. raghavgururajan has left
  198. adiaholic has left
  199. adiaholic has joined
  200. Dele Olajide has joined
  201. Dele Olajide has left
  202. pasdesushi has left
  203. pasdesushi has joined
  204. nyco has joined
  205. alex-a-soto has left
  206. alex-a-soto has joined
  207. pasdesushi has left
  208. Dele Olajide has joined
  209. Dele Olajide has left
  210. neshtaxmpp has joined
  211. intosi has left
  212. andrey.g has joined
  213. intosi has joined
  214. krauq has left
  215. krauq has joined
  216. goffi has joined
  217. lorddavidiii has left
  218. lorddavidiii has joined
  219. Andrzej has left
  220. APach has left
  221. emus has joined
  222. APach has joined
  223. Calvin has joined
  224. adiaholic has left
  225. adiaholic has joined
  226. APach has left
  227. Andrzej has joined
  228. APach has joined
  229. Lance has left
  230. APach has left
  231. NosoyHacker404 has left
  232. krauq has left
  233. krauq has joined
  234. adiaholic has left
  235. adiaholic has joined
  236. deuill has joined
  237. wurstsalat has left
  238. wurstsalat has joined
  239. floretta has joined
  240. adiaholic has left
  241. adiaholic has joined
  242. APach has joined
  243. NosoyHacker404 has joined
  244. deuill has left
  245. sonny has joined
  246. goffi has left
  247. speedball has joined
  248. lorddavidiii has left
  249. wladmis has joined
  250. speedball has left
  251. adiaholic has left
  252. adiaholic has joined
  253. lorddavidiii has joined
  254. alex-a-soto has left
  255. alex-a-soto has joined
  256. APach has left
  257. Lance has joined
  258. nad287 has left
  259. lorddavidiii has left
  260. adiaholic has left
  261. adiaholic has joined
  262. j.r has left
  263. j.r has joined
  264. Daniel Zash, what versions of prosody announce muc#stable_id?
  265. Lance has left
  266. Zash Daniel, looks like >= 0.10.1
  267. Daniel ok cool thank. so i should be able to find one in the wild
  268. APach has joined
  269. mdosch !version mdosch.de
  270. mdosch Ha, no HAL.
  271. Zash Should be possible to locate one or two .. :)
  272. Dele Olajide has joined
  273. Wojtek has joined
  274. Nekit has left
  275. Nekit has joined
  276. lorddavidiii has joined
  277. Dele Olajide has left
  278. neshtaxmpp has left
  279. alacer@blabber.im has joined
  280. alacer@blabber.im has left
  281. lorddavidiii has left
  282. lorddavidiii has joined
  283. Lance has joined
  284. stpeter has joined
  285. stpeter has left
  286. Steve Kille has left
  287. lovetox has joined
  288. Steve Kille has joined
  289. Shell has left
  290. jcbrand has left
  291. andrey.g has left
  292. Al@cer has joined
  293. Al@cer has left
  294. Al@cer has joined
  295. jcbrand has joined
  296. mukt2 has left
  297. mukt2 has joined
  298. j.r has left
  299. neshtaxmpp has joined
  300. Al@cer has left
  301. Wojtek has left
  302. Wojtek has joined
  303. pasdesushi has joined
  304. LNJ has left
  305. LNJ has joined
  306. adiaholic has left
  307. adiaholic has joined
  308. lorddavidiii has left
  309. mukt2 has left
  310. intosi has left
  311. mukt2 has joined
  312. intosi has joined
  313. intosi has left
  314. adiaholic has left
  315. adiaholic has joined
  316. pasdesushi has left
  317. pasdesushi has joined
  318. pasdesushi has left
  319. pasdesushi has joined
  320. ralphm has left
  321. ralphm has joined
  322. ralphm I've been contemplating https://letsencrypt.org/2020/11/06/own-two-feet.html and its impact on the XMPP ecosystem. I haven't yet looked at certificates being used on public servers, but I'd expect a fair number of them using LE. While browsers already (Firefox) or soon (Chrome) ship with their own bundle of root certs, making it viable to keep working on Android < 7.1, this probably doesn't hold for XMPP clients? Thoughts?
  323. Zash I seem to remember that Pidgin ships with its own bundle, so it's certainly possible.
  324. murabito has joined
  325. alameyo has left
  326. alameyo has joined
  327. Ge0rG > run a banner asking your Android users on older OSes to install Firefox Look, it's as easy as that!
  328. Ge0rG ralphm: that's an important problem. However, I can imagine that most Android xmpp clients will support something like my https://github.com/ge0rg/MemorizingTrustManager if they predate the wide availability of LE
  329. Ge0rG Because before LE, most small servers were running self signed or otherwise 'untrusted' certificates
  330. intosi has joined
  331. mukt2 has left
  332. pasdesushi has left
  333. Zash Out of 578 s2s connections to this server, 526 seem to use LE
  334. pasdesushi has joined
  335. pasdesushi has left
  336. Zash to+from, there'll be some dupes
  337. pasdesushi has joined
  338. Ge0rG Zash: aren't you blocking invalid certificates?
  339. Zash Looks like 90-95%
  340. raghavgururajan has joined
  341. Zash Looks like 90-95% Let's Encrypt
  342. Zash Checked prosody.im too
  343. murabito has left
  344. Zash Ge0rG, on my personal server, yes. Awkward for public MUC hosts where you might try to join to get help with your broken TLS settings or code or whatever.
  345. nad287 has joined
  346. Ge0rG Indeed. I'm also not blocking on yax.im, because who knows all the contacts of my users
  347. mdosch That would be like mod_block_strangers on abuse contact addresses…
  348. Link Mauve I once made the difficult decision to block all unencrypted s2s, which closed about 10% of my total s2s amounts.
  349. Link Mauve That was like two or three years ago.
  350. Link Mauve Blocking insecure certs would be a similarly difficult decision.
  351. mukt2 has joined
  352. intosi has left
  353. ralphm Sure, but in this case, we're not actually talking about insecure certs. Just that clients that use the set of root certs provided by the OS are going to have issues if those don't include the LE root cert. Which, according to this post, is around 33% of Android devices.
  354. DebXWoody has left
  355. ralphm And I'm also not sure that it is a good idea for clients to do have their own, by the way. Deciding what certs are ok and which aren't, is hard. Mozilla has some good documentation on this.
  356. Zash Certpocalypse!
  357. emus Sorry, may one break down the issue to me? I read the article and I understood that old android cannot handle their certs anymore with update, which then will also affect xmpp servers?
  358. Zash Least terrible is probably to pick an existing bundle, e.g. Mozillas.
  359. Zash Possibly a subset of it, if you're daring.
  360. ralphm Conversations has an option to distrust the OS certs, but I'm not sure if the manual approval stuff also works if you have this disabled (the default).
  361. ralphm Zash: well, only if you also correctly interpret the Trust Bits. I.e. their collections has certs to explicitly *not* trust.
  362. ralphm emus: I'm not too worried about the server part, but rather clients not being able to verify the certs the server is offering.
  363. ralphm emus: i.e. if indeed 90+% of servers use Let's Encrypt, with any manual intervention, those will start serving up certificates signed by the new root (indirectly), without cross signing by a root cert that is in the OS trust store on Android devices < 7.1.
  364. ralphm Starting in January
  365. papatutuwawa has joined
  366. marc has left
  367. marc has joined
  368. adiaholic has left
  369. adiaholic has joined
  370. intosi has joined
  371. Ge0rG There are also other related problems, like older androids not supporting TLS 1.2 by default
  372. pasdesushi has left
  373. pasdesushi has joined
  374. ralphm TLS 1.2 is supported from Android 5 and up, no?
  375. Ge0rG ralphm: supported from 4.1, enabled by default from 5
  376. ralphm According the table in the blog post, there are only 5.9% of devices on Android <5, so I'm a bit less worried about that.
  377. Ge0rG ralphm: how many android xmpp clients are there in the wild?
  378. ralphm No idea, TBH
  379. Ge0rG I only use one, and I know it'll gracefully degrade with certificates not signed by a trusted root. I'm sure there will be more significant actual compatibility problems.
  380. pasdesushi has left
  381. pasdesushi has joined
  382. ralphm Ge0rG: I hope you are right
  383. j.r has joined
  384. DebXWoody has joined
  385. Zash Yeah, with Debian stable shipping with TLS < 1.2 disabled people should have noticed that by now.
  386. wladmis has left
  387. ralphm TLS < 1.2 should have been obliterated by now.
  388. wladmis has joined
  389. Ge0rG Which is one of the reasons I still haven't upgraded my server from oldstable. I have many Russian users on old Android phones
  390. intosi has left
  391. mdosch Do you have stats how many percent use tls < 1.2?
  392. ralphm I hope you understand that leaves them open to an increasing set of vulnerabilities, though.
  393. Arne you should add 1.3 as standard and below as possible Ge0rG
  394. Arne did you
  395. Arne did you?
  396. Zash TLS implementations generally pick the highest mutually supported version
  397. ralphm I'm sure that'll go over nicely in Russia :-D
  398. Andrzej has left
  399. Arne mh maybe it's in postfix or somewhere I set this Zash
  400. Arne mh maybe it's in postfix or somewhere I've seen this Zash
  401. Arne but no matter, 1.3 should always be added today
  402. Ge0rG Arne: no, because oldstable doesn't do 1.3
  403. Arne but can't you upgrade and still allow below 1.2?
  404. tigran has joined
  405. Zash Yes
  406. Ge0rG I suppose it should be possible to configure to support a superset of the oldstable ciphers
  407. Zash Some lines in a config file to poke
  408. mdosch See prosody@
  409. pasdesushi has left
  410. Ge0rG ralphm: I'm not sure how I'm leaving owners of old phones leaving open to vulnerabilities by not locking them out
  411. pasdesushi has joined
  412. mukt2 has left
  413. Arne in prosody it's an easy setting
  414. ralphm Ge0rG: I understand the dilemma.
  415. Arne like this maybe: https://prosody.im/doc/advanced_ssl_config
  416. Zash Noooooooooooooooo
  417. mdosch But if everything keeps compatibility for ancient and insecure stuff some won't ever update.
  418. mdosch Also I hate to throw away working devices due to missing SW support, too. Such a waste of ressources…
  419. tigran has left
  420. mdosch Zash: This site is legit now. Otherwise it would still be red blinking text on yellow ground. :D
  421. Arne oh wait it's a wrong site?
  422. Ge0rG mdosch: I'm not the patch police
  423. Zash Don't make me bring back Comic Sans
  424. mdosch I understand. But do you want to keep stretch forever until the last russian Android is updated?
  425. mdosch forgot about comic sans on that site…
  426. Ge0rG At least not in my leasure time 😁😁😁
  427. mdosch Probably some self defense mechanism erased the memory.
  428. Ge0rG Why can you do big red comic sans on the ssl page but not on the IBR page?
  429. adiaholic has left
  430. adiaholic has joined
  431. Ge0rG But I think I've got most of the accidentally IBR servers down by now. The spam I'm still seeing mostly comes from large public servers
  432. floretta has left
  433. intosi has joined
  434. floretta has joined
  435. emus > emus: i.e. if indeed 90+% of servers use Let's Encrypt, with any manual intervention, those will start serving up certificates signed by the new root (indirectly), without cross signing by a root cert that is in the OS trust store on Android devices < 7.1. Thanks for clarifying. As I see no other way I can help: Anything you want/should announce through the newsletter?
  436. inky has left
  437. Zash More acute cases of people shooting their entire security away from following random blogs that used that page as source.
  438. mukt2 has joined
  439. pasdesushi has left
  440. pasdesushi has joined
  441. Ge0rG emus: users can't do much, server operators should add that "alternate" flag to their acme client. Client developers should bundle the new root
  442. pasdesushi has left
  443. pasdesushi has joined
  444. pasdesushi has left
  445. pasdesushi has joined
  446. pasdesushi has left
  447. pasdesushi has joined
  448. pasdesushi has left
  449. pasdesushi has joined
  450. peetah has left
  451. peetah has joined
  452. pasdesushi has left
  453. pasdesushi has joined
  454. alameyo has left
  455. Arne actually I set it up pretty good this way
  456. ralphm Zash: shouldn't that be incentive to make the page better? What is the default minimal version that ships with Prosody now?
  457. Andrzej has joined
  458. Zash ralphm, you mean replace the whole page with "the defaults are fine, no touchy" ? sure, that'd be an improvement
  459. ralphm Is the default TLS 1.2+ ?
  460. Zash ralphm, still TLS 1.0+, but distros may make that stricter. Likely be changed to 1.0+ in the next major version.
  461. alameyo has joined
  462. intosi has left
  463. ralphm has left
  464. ralphm has joined
  465. mdosch 1.2+ you mean?
  466. Zash Right, yes, 1.2+
  467. Ge0rG There is also a difference between setting up a new server and upgrading an old one. You can get away with strict settings on a new box. People won't be able to register with their old clients.
  468. Ge0rG I can't just lock out my users from one day to the other
  469. mukt2 has left
  470. mukt2 has joined
  471. ralphm has left
  472. ralphm has joined
  473. intosi has joined
  474. Andrzej has left
  475. mukt2 has left
  476. mukt2 has joined
  477. intosi has left
  478. Andrzej has joined
  479. floretta has left
  480. DebXWoody has left
  481. Shell has joined
  482. floretta has joined
  483. jcbrand has left
  484. DebXWoody has joined
  485. DebXWoody has left
  486. DebXWoody has joined
  487. mukt2 has left
  488. mukt2 has joined
  489. emus has left
  490. Andrzej has left
  491. werdan has joined
  492. intosi has joined
  493. strypey has joined
  494. strypey has left
  495. inky has joined
  496. papatutuwawa has left
  497. lovetox has left
  498. intosi has left
  499. strypey has joined
  500. strypey has left
  501. mukt2 has left
  502. Yagiza has left
  503. strypey has joined
  504. strypey has left
  505. Andrzej has joined
  506. lovetox has joined
  507. j.r has left
  508. werdan has left
  509. intosi has joined
  510. werdan has joined
  511. emus has joined
  512. j.r has joined
  513. Andrzej has left
  514. intosi has left
  515. Andrzej has joined
  516. Alex has left
  517. Andrzej has left
  518. Andrzej has joined
  519. Mikaela has left
  520. emus > emus: users can't do much, server operators should add that "alternate" flag to their acme client. Client developers should bundle the new root But then I guess they may read the newsletter^^
  521. lovetox has left
  522. Andrzej has left
  523. emus But wait - to get it correctly: The problem are actually the user devices, which are more than outdated, right? So the issue is a general one and LE calls server maintainers to ask their users to upgrade (to another closed source device which will be outdated soon)?
  524. intosi has joined
  525. floretta has left
  526. lorddavidiii has joined
  527. nad287 has left
  528. intosi has left
  529. Andrzej has joined
  530. floretta has joined
  531. andrey.g has joined
  532. pasdesushi has left
  533. pasdesushi has joined
  534. intosi has joined
  535. j.r has left
  536. pasdesushi has left
  537. pasdesushi has joined
  538. Andrzej has left
  539. Andrzej has joined
  540. pasdesushi has left
  541. pasdesushi has joined
  542. ralphm Going forward this is less of a problem. The LE X1 root expires in 2035.
  543. ralphm Also, how open the platform is doesn't say anything about its continued future updates.
  544. werdan has left
  545. moparisthebest > I can't just lock out my users from one day to the other
  546. moparisthebest I mean if all the cellphone providers in the USA can why not you
  547. ralphm Yup, providers are turning off 2G GSM here in Europe, too.
  548. moparisthebest They just announced they are turning off 3g here, in January
  549. intosi has left
  550. j.r has joined
  551. emus But wait, but was my statement kinda correct?
  552. Tobias has left
  553. lorddavidiii has left
  554. Andrzej has left
  555. Wojtek has left
  556. Andrzej has joined
  557. intosi has joined
  558. arc has left
  559. arc has joined
  560. alex-a-soto has left
  561. alex-a-soto has joined
  562. intosi has left
  563. Andrzej has left