MattJ@SCAM: FOSDEM call for stands is open, though hopefully nobody is actually relying on me to know that :)
krauqhas joined
Shellhas left
eevvoorhas left
Guushas joined
andrey.ghas joined
krauqhas left
krauqhas joined
lorddavidiiihas left
flowhmm, online stands?
moparisthebesthas left
pasdesushihas joined
andrey.ghas left
pasdesushihas left
APachhas left
APachhas joined
lorddavidiiihas joined
intosihas joined
emushas left
neshtaxmpphas left
MattJYes, online stands
lorddavidiiihas left
MattJI think it would be good to issue (as early as possible) a call for content from projects
MattJPeople may need time to prepare
lorddavidiiihas joined
moparisthebesthas joined
Aleksejhas joined
Andrzejhas left
krauqhas left
krauqhas joined
Adihas left
Adihas joined
mukt2has left
krauqhas left
krauqhas joined
DebXWoodyhas left
DebXWoodyhas joined
pasdesushihas joined
emushas joined
mukt2has joined
andrey.ghas joined
intosihas left
Andrzejhas joined
pasdesushihas left
inkyhas left
mukt2has left
emushas left
emushas joined
intosihas joined
mukt2has joined
Andrzejhas left
Kevhas left
intosihas left
Kevhas joined
Andrzejhas joined
lorddavidiiihas left
intosihas joined
LNJhas joined
neshtaxmpphas joined
andrey.ghas left
focus121has left
focus121has joined
Andrzejhas left
lorddavidiiihas joined
antranigvhas joined
mimi89999has left
mimi89999has joined
intosihas left
larmahas left
larmahas joined
ZashHow does an online stand even work?
eevvoorhas joined
SamWhitedVideo chat with slides and the website shared?
lorddavidiiihas left
Alexhas left
alameyohas left
raghavgururajanhas joined
Steve Killehas left
raghavgururajanhas left
mukt2has left
mukt2has joined
raghavgururajanhas joined
intosihas joined
Steve Killehas joined
moparisthebesthas left
intosihas left
raghavgururajanhas left
raghavgururajanhas joined
lorddavidiiihas joined
moparisthebesthas joined
mukt2has left
Andrzejhas joined
intosihas joined
moparisthebesthas left
Alexhas joined
debaclehas left
papatutuwawahas joined
inkyhas joined
moparisthebesthas joined
Shellhas joined
Kevhas left
Kevhas joined
antranigvIs there any "reset password" standard?
pasdesushihas joined
antranigvI was thinking of this: the user asks for "reset password", the server looks for emails in the VCard, and we send the "link", say via HTTP, OR a new password, to their specified email.
MattJI'm not aware of a standard for that, no. Also using the vCard is unwise because it's typically not verified (so a typo could grant someone else access to the account, etc.)
mathieuiwould be nice to have a standard way of reaching the user as a service or admin though
MattJAlso I may not want to publish an email but still have one registered, or I may want to use a different email for my account but publish a different public email address
mathieuiWe often have to correlate the little data we have when we get a "lost password" request
intosihas left
MattJFor Prosody I'm planning to work on verified email (and possibly phone number) support, which would help a lot with that
jonas’:-O
APachhas left
APachhas joined
SamWhitedIt's not widely supported, but XEP-0389 handles password reset
APachhas left
APachhas joined
pasdesushihas left
MattJAh yes
MattJSo the future is hopeful :)
Ge0rGSamWhited: by asking for an email during EIBR?
mukt2has joined
antranigvMattJ, that would be nice, I run a mix of prosody and ejabberd, but the main jabber.am server is still prosody, and would love to see that.
SamWhitedSure, that would be one way
SamWhitedYou could also do it after registration. Eventually maybe define a URI to open the client and continue the reset process
papatutuwawahas left
DanielIn some scenarios it might make sense to tie the account registration to SMS verification anyway.
SamWhited(eIBR can also do that; really this is the use case I had in mind when I designed it :) )
Ge0rGhow do you get the URI after you lost your password?
mukt2has left
Ge0rGDaniel: how is quicksy going btw?
DanielTerribly
SamWhitedGe0rG: eIBR works before login, so somewhere in your client you'd pick "I forgot my password" or something and it would just select the eIBR feature instead of the normal auth feature
adiaholichas left
Ge0rGSamWhited: ah well, doing oob authentication during password reset is probably not the challenging part ;)
Ge0rGI was looking into how to make the users define the oob channel in advance in a sensible way
SamWhitedGe0rG: I guess I'm not sure what you mean? What is "define the oob channel?"
adiaholichas joined
Ge0rGSamWhited: a user needs to give an email address / phone number / avian carrier coordinates at some time, and the server needs to verify that
Ge0rGit shouldn't be mandatory though
SamWhitedGe0rG: if you're using eIBR you could use the dataform challenge and just ask for that stuff, or you could define your own more specific challenge if dataforms aren't desired
DanielGe0rG: I think you need to transport the actual carrier, not the coordinates
mukt2has joined
DanielLike Mail it in or something
ZashAd-hoc command?
Ge0rGSamWhited: well, passing an email during IBR has been a thing for seventeen years now
intosihas joined
Ge0rGI'm not sure if any server implementation will actually verify that email address
MattJProsody doesn't, currently
SamWhitedSure, how the server actually implements things is up to them
Ge0rGDaniel: good point. I'm not sure if that's in scope for eIBR though
Ge0rGintergrated IM solutions can do nifty things like https://developers.google.com/identity/sms-retriever/overview
APachhas left
intosihas left
intosihas joined
Aleksejhas left
APachhas joined
lorddavidiiihas left
lorddavidiiihas joined
wladmishas joined
Kevhas left
Алексейhas left
Steve Killehas left
APachhas left
APachhas joined
Andrzejhas left
intosihas left
Andrzejhas joined
xsfhas left
xsfhas joined
paulhas left
florettahas joined
paulhas joined
Aleksejhas joined
Aleksejhas left
dwdWe did a password reset system for a failed product at Surevine. Built around two SASL mechanisms, one for the "I forgot my password" bit, and a one-time reset code one to handle the "Click here to reset your password" link.
lorddavidiiihas left
intosihas joined
lorddavidiiihas joined
neshtaxmpphas left
neshtaxmpphas joined
pasdesushihas joined
chronosx88has left
chronosx88has joined
pasdesushihas left
lorddavidiiihas left
intosihas left
Andrzejhas left
Andrzejhas joined
APachhas left
APachhas joined
alameyohas joined
intosihas joined
Adihas left
eevvoorhas left
eevvoorhas joined
lorddavidiiihas joined
intosihas left
debaclehas joined
Wojtekhas joined
Marandahas left
intosihas joined
Marandahas joined
pasdesushihas joined
eevvoorhas left
eevvoorhas joined
pasdesushihas left
intosihas left
Kevhas joined
Arnehas left
krauqhas left
krauqhas joined
intosihas joined
pasdesushihas joined
pasdesushihas left
pasdesushihas joined
pasdesushihas left
Arnehas joined
lovetoxhas joined
intosihas left
antranigvhas left
pasdesushihas joined
antranigvhas joined
pasdesushihas left
pasdesushihas joined
DebXWoodyhas left
neshtaxmpphas left
neshtaxmpphas joined
DebXWoodyhas joined
intosihas joined
Lancehas left
Andrzejhas left
Andrzejhas joined
intosihas left
lorddavidiiihas left
lorddavidiiihas joined
pasdesushihas left
matkorhas left
intosihas joined
MarandaGe0rG: Metronome does, and also verify that the address is not a disposable one....
archas left
jonas’Maranda, how do you verify that it’s not disposable? :)
archas joined
MarandaI pass the domain name to an external REST API which does that
MarandaIf it's catched as DEA it will invalid the registration
Ge0rG> an external REST API
That's how the internet works, right?
adiaholichas left
MarandaGe0rG: if you want you can implement your own thing, and collect the data required... Tbh I found it more convenient to let someone else do the latter, and since.. Yes most ppl use a REST API.
Maranda😺
Ge0rGMaranda: not criticizing you, I understand the trade-offs
matkorhas joined
mathieuiOh non, those APIs are the bane of my existence since I use spamgourmet
Maranda... Had to lookup the DB I use in the code because it's years I don't touch it. Anyways it's https://www.nameapi.org/
moparisthebestIf you are going to do it that's probably a fine way, but... Why prohibit disposable emails at all
mathieuimoparisthebest, because that’s what spammers use
Marandamoparisthebest: they're used by spammers to circumvent verification
moparisthebestSpammers set up their own domains no problem
SamWhitedSpammers generally don't like to set up their own domains because other providers use domain reputation and if you setup a new domain you don't have a positive reputation to help you land in peoples inboxes even though the contents of your message looked kind of spammy.
MattJYou're right, it should be a simple whitelist of gmail.com, outlook.com, yahoo.com
Marandamoparisthebest: once they become detected and listed, nameapi will block those as well
MarandaThey do several checks
MarandaNot just DEA
MarandaIt served me well enough over the years
ZashMattJ, make sure to whitelist their MX'es so everyone with custom domains aren't blocked!
florettahas left
intosihas left
chronosx88has left
florettahas joined
paulhas left
Wojtekhas left
intosihas joined
krauqhas left
krauqhas joined
eevvoorhas left
nycohas left
Kevhas left
Kevhas joined
nycohas joined
adiaholichas joined
papatutuwawahas joined
j.rhas left
lorddavidiiihas left
Wojtekhas joined
lorddavidiiihas joined
intosihas left
j.rhas joined
Steve Killehas joined
chronosx88has joined
pasdesushihas joined
intosihas joined
pasdesushihas left
paulhas joined
lorddavidiiihas left
intosihas left
fuanahas joined
Kevhas left
Kevhas joined
chronosx88has left
chronosx88has joined
Aleksejhas joined
fuanahas left
fuanahas joined
lorddavidiiihas joined
DebXWoodyhas left
Andrzejhas left
intosihas joined
archas left
archas joined
pasdesushihas joined
Andrzejhas joined
fuanahas left
pasdesushihas left
intosihas left
pasdesushihas joined
chronosx88has left
chronosx88has joined
pasdesushihas left
pasdesushihas joined
pasdesushihas left
Wojtekhas left
pasdesushihas joined
Yagizahas left
intosihas joined
stpeterhas joined
stpeterhas left
Andrzejhas left
pasdesushihas left
APachhas left
APachhas joined
APachhas left
APachhas joined
intosihas left
jcbrandhas left
Arnehas left
Arnehas joined
jcbrandhas joined
Andrzejhas joined
Guushas left
krauqhas left
krauqhas joined
intosihas joined
serge90has left
serge90has joined
krauqhas left
stpeterhas joined
stpeterhas left
krauqhas joined
florettahas left
florettahas joined
moparisthebestthis is probably bad, I know SamWhited does Go XMPP stuff, anyone else? https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
andrey.ghas joined
raghavgururajanhas left
jcbrandhas left
paulhas left
jonas’moparisthebest: oh my
moparisthebestI'm not absolutely positive whether this is a deal breaker for XMPP or not , looks like attribute/element ordering isn't preserved
moparisthebestit is "unfixable" at the moment so they just dropped it
intosihas left
raghavgururajanhas joined
KevI'm not sure it's a security vulnerability, but it's definitely not irrelevant, e.g. data forms.
KevAlso Atom over pubsub, I guess.
Wojtekhas joined
Andrzejhas left
intosihas joined
archas left
Tobiashas left
chronosx88has left
chronosx88has joined
Kevhas left
moparisthebestthis is old but I just saw it today too, a case of bad XML comment parsing causing a major security bug in iOS https://siguza.github.io/psychicpaper/ / https://twitter.com/s1guza/status/1255641164885131268