@SCAM: FOSDEM call for stands is open, though hopefully nobody is actually relying on me to know that :)
krauqhas joined
Shellhas left
eevvoorhas left
Guushas joined
andrey.ghas joined
krauqhas left
krauqhas joined
lorddavidiiihas left
flow
hmm, online stands?
moparisthebesthas left
pasdesushihas joined
andrey.ghas left
pasdesushihas left
APachhas left
APachhas joined
lorddavidiiihas joined
intosihas joined
emushas left
neshtaxmpphas left
MattJ
Yes, online stands
lorddavidiiihas left
MattJ
I think it would be good to issue (as early as possible) a call for content from projects
MattJ
People may need time to prepare
lorddavidiiihas joined
moparisthebesthas joined
Aleksejhas joined
Andrzejhas left
krauqhas left
krauqhas joined
Adihas left
Adihas joined
mukt2has left
krauqhas left
krauqhas joined
DebXWoodyhas left
DebXWoodyhas joined
pasdesushihas joined
emushas joined
mukt2has joined
andrey.ghas joined
intosihas left
Andrzejhas joined
pasdesushihas left
inkyhas left
mukt2has left
emushas left
emushas joined
intosihas joined
mukt2has joined
Andrzejhas left
Kevhas left
intosihas left
Kevhas joined
Andrzejhas joined
lorddavidiiihas left
intosihas joined
LNJhas joined
neshtaxmpphas joined
andrey.ghas left
focus121has left
focus121has joined
Andrzejhas left
lorddavidiiihas joined
antranigvhas joined
mimi89999has left
mimi89999has joined
intosihas left
larmahas left
larmahas joined
Zash
How does an online stand even work?
eevvoorhas joined
SamWhited
Video chat with slides and the website shared?
lorddavidiiihas left
Alexhas left
alameyohas left
raghavgururajanhas joined
Steve Killehas left
raghavgururajanhas left
mukt2has left
mukt2has joined
raghavgururajanhas joined
intosihas joined
Steve Killehas joined
moparisthebesthas left
intosihas left
raghavgururajanhas left
raghavgururajanhas joined
lorddavidiiihas joined
moparisthebesthas joined
mukt2has left
Andrzejhas joined
intosihas joined
moparisthebesthas left
Alexhas joined
debaclehas left
papatutuwawahas joined
inkyhas joined
moparisthebesthas joined
Shellhas joined
Kevhas left
Kevhas joined
antranigv
Is there any "reset password" standard?
pasdesushihas joined
antranigv
I was thinking of this: the user asks for "reset password", the server looks for emails in the VCard, and we send the "link", say via HTTP, OR a new password, to their specified email.
MattJ
I'm not aware of a standard for that, no. Also using the vCard is unwise because it's typically not verified (so a typo could grant someone else access to the account, etc.)
mathieui
would be nice to have a standard way of reaching the user as a service or admin though
MattJ
Also I may not want to publish an email but still have one registered, or I may want to use a different email for my account but publish a different public email address
mathieui
We often have to correlate the little data we have when we get a "lost password" request
intosihas left
MattJ
For Prosody I'm planning to work on verified email (and possibly phone number) support, which would help a lot with that
jonas’
:-O
APachhas left
APachhas joined
SamWhited
It's not widely supported, but XEP-0389 handles password reset
APachhas left
APachhas joined
pasdesushihas left
MattJ
Ah yes
MattJ
So the future is hopeful :)
Ge0rG
SamWhited: by asking for an email during EIBR?
mukt2has joined
antranigv
MattJ, that would be nice, I run a mix of prosody and ejabberd, but the main jabber.am server is still prosody, and would love to see that.
SamWhited
Sure, that would be one way
SamWhited
You could also do it after registration. Eventually maybe define a URI to open the client and continue the reset process
papatutuwawahas left
Daniel
In some scenarios it might make sense to tie the account registration to SMS verification anyway.
SamWhited
(eIBR can also do that; really this is the use case I had in mind when I designed it :) )
Ge0rG
how do you get the URI after you lost your password?
mukt2has left
Ge0rG
Daniel: how is quicksy going btw?
Daniel
Terribly
SamWhited
Ge0rG: eIBR works before login, so somewhere in your client you'd pick "I forgot my password" or something and it would just select the eIBR feature instead of the normal auth feature
adiaholichas left
Ge0rG
SamWhited: ah well, doing oob authentication during password reset is probably not the challenging part ;)
Ge0rG
I was looking into how to make the users define the oob channel in advance in a sensible way
SamWhited
Ge0rG: I guess I'm not sure what you mean? What is "define the oob channel?"
adiaholichas joined
Ge0rG
SamWhited: a user needs to give an email address / phone number / avian carrier coordinates at some time, and the server needs to verify that
Ge0rG
it shouldn't be mandatory though
SamWhited
Ge0rG: if you're using eIBR you could use the dataform challenge and just ask for that stuff, or you could define your own more specific challenge if dataforms aren't desired
Daniel
Ge0rG: I think you need to transport the actual carrier, not the coordinates
mukt2has joined
Daniel
Like Mail it in or something
Zash
Ad-hoc command?
Ge0rG
SamWhited: well, passing an email during IBR has been a thing for seventeen years now
intosihas joined
Ge0rG
I'm not sure if any server implementation will actually verify that email address
MattJ
Prosody doesn't, currently
SamWhited
Sure, how the server actually implements things is up to them
Ge0rG
Daniel: good point. I'm not sure if that's in scope for eIBR though
Ge0rG
intergrated IM solutions can do nifty things like https://developers.google.com/identity/sms-retriever/overview
APachhas left
intosihas left
intosihas joined
Aleksejhas left
APachhas joined
lorddavidiiihas left
lorddavidiiihas joined
wladmishas joined
Kevhas left
Алексейhas left
Steve Killehas left
APachhas left
APachhas joined
Andrzejhas left
intosihas left
Andrzejhas joined
xsfhas left
xsfhas joined
paulhas left
florettahas joined
paulhas joined
Aleksejhas joined
Aleksejhas left
dwd
We did a password reset system for a failed product at Surevine. Built around two SASL mechanisms, one for the "I forgot my password" bit, and a one-time reset code one to handle the "Click here to reset your password" link.
lorddavidiiihas left
intosihas joined
lorddavidiiihas joined
neshtaxmpphas left
neshtaxmpphas joined
pasdesushihas joined
chronosx88has left
chronosx88has joined
pasdesushihas left
lorddavidiiihas left
intosihas left
Andrzejhas left
Andrzejhas joined
APachhas left
APachhas joined
alameyohas joined
intosihas joined
Adihas left
eevvoorhas left
eevvoorhas joined
lorddavidiiihas joined
intosihas left
debaclehas joined
Wojtekhas joined
Marandahas left
intosihas joined
Marandahas joined
pasdesushihas joined
eevvoorhas left
eevvoorhas joined
pasdesushihas left
intosihas left
Kevhas joined
Arnehas left
krauqhas left
krauqhas joined
intosihas joined
pasdesushihas joined
pasdesushihas left
pasdesushihas joined
pasdesushihas left
Arnehas joined
lovetoxhas joined
intosihas left
antranigvhas left
pasdesushihas joined
antranigvhas joined
pasdesushihas left
pasdesushihas joined
DebXWoodyhas left
neshtaxmpphas left
neshtaxmpphas joined
DebXWoodyhas joined
intosihas joined
Lancehas left
Andrzejhas left
Andrzejhas joined
intosihas left
lorddavidiiihas left
lorddavidiiihas joined
pasdesushihas left
matkorhas left
intosihas joined
Maranda
Ge0rG: Metronome does, and also verify that the address is not a disposable one....
archas left
jonas’
Maranda, how do you verify that it’s not disposable? :)
archas joined
Maranda
I pass the domain name to an external REST API which does that
Maranda
If it's catched as DEA it will invalid the registration
Ge0rG
> an external REST API
That's how the internet works, right?
adiaholichas left
Maranda
Ge0rG: if you want you can implement your own thing, and collect the data required... Tbh I found it more convenient to let someone else do the latter, and since.. Yes most ppl use a REST API.
Maranda
😺
Ge0rG
Maranda: not criticizing you, I understand the trade-offs
matkorhas joined
mathieui
Oh non, those APIs are the bane of my existence since I use spamgourmet
Maranda
... Had to lookup the DB I use in the code because it's years I don't touch it. Anyways it's https://www.nameapi.org/
moparisthebest
If you are going to do it that's probably a fine way, but... Why prohibit disposable emails at all
mathieui
moparisthebest, because that’s what spammers use
Maranda
moparisthebest: they're used by spammers to circumvent verification
moparisthebest
Spammers set up their own domains no problem
SamWhited
Spammers generally don't like to set up their own domains because other providers use domain reputation and if you setup a new domain you don't have a positive reputation to help you land in peoples inboxes even though the contents of your message looked kind of spammy.
MattJ
You're right, it should be a simple whitelist of gmail.com, outlook.com, yahoo.com
Maranda
moparisthebest: once they become detected and listed, nameapi will block those as well
Maranda
They do several checks
Maranda
Not just DEA
Maranda
It served me well enough over the years
Zash
MattJ, make sure to whitelist their MX'es so everyone with custom domains aren't blocked!
florettahas left
intosihas left
chronosx88has left
florettahas joined
paulhas left
Wojtekhas left
intosihas joined
krauqhas left
krauqhas joined
eevvoorhas left
nycohas left
Kevhas left
Kevhas joined
nycohas joined
adiaholichas joined
papatutuwawahas joined
j.rhas left
lorddavidiiihas left
Wojtekhas joined
lorddavidiiihas joined
intosihas left
j.rhas joined
Steve Killehas joined
chronosx88has joined
pasdesushihas joined
intosihas joined
pasdesushihas left
paulhas joined
lorddavidiiihas left
intosihas left
fuanahas joined
Kevhas left
Kevhas joined
chronosx88has left
chronosx88has joined
Aleksejhas joined
fuanahas left
fuanahas joined
lorddavidiiihas joined
DebXWoodyhas left
Andrzejhas left
intosihas joined
archas left
archas joined
pasdesushihas joined
Andrzejhas joined
fuanahas left
pasdesushihas left
intosihas left
pasdesushihas joined
chronosx88has left
chronosx88has joined
pasdesushihas left
pasdesushihas joined
pasdesushihas left
Wojtekhas left
pasdesushihas joined
Yagizahas left
intosihas joined
stpeterhas joined
stpeterhas left
Andrzejhas left
pasdesushihas left
APachhas left
APachhas joined
APachhas left
APachhas joined
intosihas left
jcbrandhas left
Arnehas left
Arnehas joined
jcbrandhas joined
Andrzejhas joined
Guushas left
krauqhas left
krauqhas joined
intosihas joined
serge90has left
serge90has joined
krauqhas left
stpeterhas joined
stpeterhas left
krauqhas joined
florettahas left
florettahas joined
moparisthebest
this is probably bad, I know SamWhited does Go XMPP stuff, anyone else? https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
andrey.ghas joined
raghavgururajanhas left
jcbrandhas left
paulhas left
jonas’
moparisthebest: oh my
moparisthebest
I'm not absolutely positive whether this is a deal breaker for XMPP or not , looks like attribute/element ordering isn't preserved
moparisthebest
it is "unfixable" at the moment so they just dropped it
intosihas left
raghavgururajanhas joined
Kev
I'm not sure it's a security vulnerability, but it's definitely not irrelevant, e.g. data forms.
Kev
Also Atom over pubsub, I guess.
Wojtekhas joined
Andrzejhas left
intosihas joined
archas left
Tobiashas left
chronosx88has left
chronosx88has joined
Kevhas left
moparisthebest
this is old but I just saw it today too, a case of bad XML comment parsing causing a major security bug in iOS https://siguza.github.io/psychicpaper/ / https://twitter.com/s1guza/status/1255641164885131268