XSF Discussion - 2020-12-14

  1. mukt2 has left
  2. emus has left
  3. arc has left
  4. mukt2 has joined
  5. darkijah has joined
  6. Arne has left
  7. Arne has joined
  8. Aleksej has left
  9. darkijah hello
  10. darkijah anyone there?
  11. arc has joined
  12. adiaholic has left
  13. Andrzej has joined
  14. lskdjf has left
  15. darkijah has left
  16. matkor has left
  17. Andrzej has left
  18. dwd has left
  19. adiaholic has joined
  20. krauq has left
  21. LNJ has left
  22. raghavgururajan has left
  23. krauq has joined
  24. raghavgururajan has joined
  25. govanify has left
  26. govanify has joined
  27. Shell has left
  28. intosi has joined
  29. darkijah has joined
  30. darkijah has left
  31. Shell has joined
  32. darkijah has joined
  33. darkijah has left
  34. darkijah has joined
  35. darkijah has left
  36. intosi has left
  37. andrey.g has left
  38. krauq has left
  39. krauq has joined
  40. Yagiza has joined
  41. Andrzej has joined
  42. govanify has left
  43. govanify has joined
  44. govanify has left
  45. govanify has joined
  46. Andrzej has left
  47. mukt2 has left
  48. raghavgururajan has left
  49. raghavgururajan has joined
  50. arc has left
  51. arc has joined
  52. arc has left
  53. arc has joined
  54. chronosx88 has joined
  55. Andrzej has joined
  56. govanify has left
  57. govanify has joined
  58. arc has left
  59. arc has joined
  60. arc has left
  61. arc has joined
  62. arc has left
  63. arc has joined
  64. krauq has left
  65. arc has left
  66. arc has joined
  67. krauq has joined
  68. neshtaxmpp has joined
  69. govanify has left
  70. govanify has joined
  71. APach has left
  72. APach has joined
  73. mukt2 has joined
  74. DebXWoody has joined
  75. wladmis has left
  76. govanify has left
  77. govanify has joined
  78. APach has left
  79. Mikaela has joined
  80. mukt2 has left
  81. APach has joined
  82. arc has left
  83. arc has joined
  84. krauq has left
  85. krauq has joined
  86. govanify has left
  87. govanify has joined
  88. lorddavidiii has joined
  89. arc has left
  90. arc has joined
  91. arc has left
  92. arc has joined
  93. Tobias has joined
  94. andy has joined
  95. arc has left
  96. arc has joined
  97. matkor has joined
  98. mukt2 has joined
  99. chronosx88 has left
  100. chronosx88 has joined
  101. mukt2 has left
  102. paul has joined
  103. arc has left
  104. arc has joined
  105. wurstsalat has joined
  106. pitchum has joined
  107. dwd has joined
  108. mukt2 has joined
  109. pitchum has left
  110. emus has joined
  111. krauq has left
  112. mdosch has left
  113. mdosch has joined
  114. krauq has joined
  115. Adi has joined
  116. lorddavidiii has left
  117. raghavgururajan has left
  118. floretta has left
  119. j.r has left
  120. j.r has joined
  121. Guus has left
  122. lorddavidiii has joined
  123. j.r has left
  124. j.r has joined
  125. moparisthebest has left
  126. eevvoor has joined
  127. Guus has joined
  128. j.r has left
  129. debacle has joined
  130. moparisthebest has joined
  131. lskdjf has joined
  132. j.r has joined
  133. Kev has joined
  134. Guus has left
  135. krauq has left
  136. MattJ @SCAM: FOSDEM call for stands is open, though hopefully nobody is actually relying on me to know that :)
  137. krauq has joined
  138. Shell has left
  139. eevvoor has left
  140. Guus has joined
  141. andrey.g has joined
  142. krauq has left
  143. krauq has joined
  144. lorddavidiii has left
  145. flow hmm, online stands?
  146. moparisthebest has left
  147. pasdesushi has joined
  148. andrey.g has left
  149. pasdesushi has left
  150. APach has left
  151. APach has joined
  152. lorddavidiii has joined
  153. intosi has joined
  154. emus has left
  155. neshtaxmpp has left
  156. MattJ Yes, online stands
  157. lorddavidiii has left
  158. MattJ I think it would be good to issue (as early as possible) a call for content from projects
  159. MattJ People may need time to prepare
  160. lorddavidiii has joined
  161. moparisthebest has joined
  162. Aleksej has joined
  163. Andrzej has left
  164. krauq has left
  165. krauq has joined
  166. Adi has left
  167. Adi has joined
  168. mukt2 has left
  169. krauq has left
  170. krauq has joined
  171. DebXWoody has left
  172. DebXWoody has joined
  173. pasdesushi has joined
  174. emus has joined
  175. mukt2 has joined
  176. andrey.g has joined
  177. intosi has left
  178. Andrzej has joined
  179. pasdesushi has left
  180. inky has left
  181. mukt2 has left
  182. emus has left
  183. emus has joined
  184. intosi has joined
  185. mukt2 has joined
  186. Andrzej has left
  187. Kev has left
  188. intosi has left
  189. Kev has joined
  190. Andrzej has joined
  191. lorddavidiii has left
  192. intosi has joined
  193. LNJ has joined
  194. neshtaxmpp has joined
  195. andrey.g has left
  196. focus121 has left
  197. focus121 has joined
  198. Andrzej has left
  199. lorddavidiii has joined
  200. antranigv has joined
  201. mimi89999 has left
  202. mimi89999 has joined
  203. intosi has left
  204. larma has left
  205. larma has joined
  206. Zash How does an online stand even work?
  207. eevvoor has joined
  208. SamWhited Video chat with slides and the website shared?
  209. lorddavidiii has left
  210. Alex has left
  211. alameyo has left
  212. raghavgururajan has joined
  213. Steve Kille has left
  214. raghavgururajan has left
  215. mukt2 has left
  216. mukt2 has joined
  217. raghavgururajan has joined
  218. intosi has joined
  219. Steve Kille has joined
  220. moparisthebest has left
  221. intosi has left
  222. raghavgururajan has left
  223. raghavgururajan has joined
  224. lorddavidiii has joined
  225. moparisthebest has joined
  226. mukt2 has left
  227. Andrzej has joined
  228. intosi has joined
  229. moparisthebest has left
  230. Alex has joined
  231. debacle has left
  232. papatutuwawa has joined
  233. inky has joined
  234. moparisthebest has joined
  235. Shell has joined
  236. Kev has left
  237. Kev has joined
  238. antranigv Is there any "reset password" standard?
  239. pasdesushi has joined
  240. antranigv I was thinking of this: the user asks for "reset password", the server looks for emails in the VCard, and we send the "link", say via HTTP, OR a new password, to their specified email.
  241. MattJ I'm not aware of a standard for that, no. Also using the vCard is unwise because it's typically not verified (so a typo could grant someone else access to the account, etc.)
  242. mathieui would be nice to have a standard way of reaching the user as a service or admin though
  243. MattJ Also I may not want to publish an email but still have one registered, or I may want to use a different email for my account but publish a different public email address
  244. mathieui We often have to correlate the little data we have when we get a "lost password" request
  245. intosi has left
  246. MattJ For Prosody I'm planning to work on verified email (and possibly phone number) support, which would help a lot with that
  247. jonas’ :-O
  248. APach has left
  249. APach has joined
  250. SamWhited It's not widely supported, but XEP-0389 handles password reset
  251. APach has left
  252. APach has joined
  253. pasdesushi has left
  254. MattJ Ah yes
  255. MattJ So the future is hopeful :)
  256. Ge0rG SamWhited: by asking for an email during EIBR?
  257. mukt2 has joined
  258. antranigv MattJ, that would be nice, I run a mix of prosody and ejabberd, but the main jabber.am server is still prosody, and would love to see that.
  259. SamWhited Sure, that would be one way
  260. SamWhited You could also do it after registration. Eventually maybe define a URI to open the client and continue the reset process
  261. papatutuwawa has left
  262. Daniel In some scenarios it might make sense to tie the account registration to SMS verification anyway.
  263. SamWhited (eIBR can also do that; really this is the use case I had in mind when I designed it :) )
  264. Ge0rG how do you get the URI after you lost your password?
  265. mukt2 has left
  266. Ge0rG Daniel: how is quicksy going btw?
  267. Daniel Terribly
  268. SamWhited Ge0rG: eIBR works before login, so somewhere in your client you'd pick "I forgot my password" or something and it would just select the eIBR feature instead of the normal auth feature
  269. adiaholic has left
  270. Ge0rG SamWhited: ah well, doing oob authentication during password reset is probably not the challenging part ;)
  271. Ge0rG I was looking into how to make the users define the oob channel in advance in a sensible way
  272. SamWhited Ge0rG: I guess I'm not sure what you mean? What is "define the oob channel?"
  273. adiaholic has joined
  274. Ge0rG SamWhited: a user needs to give an email address / phone number / avian carrier coordinates at some time, and the server needs to verify that
  275. Ge0rG it shouldn't be mandatory though
  276. SamWhited Ge0rG: if you're using eIBR you could use the dataform challenge and just ask for that stuff, or you could define your own more specific challenge if dataforms aren't desired
  277. Daniel Ge0rG: I think you need to transport the actual carrier, not the coordinates
  278. mukt2 has joined
  279. Daniel Like Mail it in or something
  280. Zash Ad-hoc command?
  281. Ge0rG SamWhited: well, passing an email during IBR has been a thing for seventeen years now
  282. intosi has joined
  283. Ge0rG I'm not sure if any server implementation will actually verify that email address
  284. MattJ Prosody doesn't, currently
  285. SamWhited Sure, how the server actually implements things is up to them
  286. Ge0rG Daniel: good point. I'm not sure if that's in scope for eIBR though
  287. Ge0rG intergrated IM solutions can do nifty things like https://developers.google.com/identity/sms-retriever/overview
  288. APach has left
  289. intosi has left
  290. intosi has joined
  291. Aleksej has left
  292. APach has joined
  293. lorddavidiii has left
  294. lorddavidiii has joined
  295. wladmis has joined
  296. Kev has left
  297. Алексей has left
  298. Steve Kille has left
  299. APach has left
  300. APach has joined
  301. Andrzej has left
  302. intosi has left
  303. Andrzej has joined
  304. xsf has left
  305. xsf has joined
  306. paul has left
  307. floretta has joined
  308. paul has joined
  309. Aleksej has joined
  310. Aleksej has left
  311. dwd We did a password reset system for a failed product at Surevine. Built around two SASL mechanisms, one for the "I forgot my password" bit, and a one-time reset code one to handle the "Click here to reset your password" link.
  312. lorddavidiii has left
  313. intosi has joined
  314. lorddavidiii has joined
  315. neshtaxmpp has left
  316. neshtaxmpp has joined
  317. pasdesushi has joined
  318. chronosx88 has left
  319. chronosx88 has joined
  320. pasdesushi has left
  321. lorddavidiii has left
  322. intosi has left
  323. Andrzej has left
  324. Andrzej has joined
  325. APach has left
  326. APach has joined
  327. alameyo has joined
  328. intosi has joined
  329. Adi has left
  330. eevvoor has left
  331. eevvoor has joined
  332. lorddavidiii has joined
  333. intosi has left
  334. debacle has joined
  335. Wojtek has joined
  336. Maranda has left
  337. intosi has joined
  338. Maranda has joined
  339. pasdesushi has joined
  340. eevvoor has left
  341. eevvoor has joined
  342. pasdesushi has left
  343. intosi has left
  344. Kev has joined
  345. Arne has left
  346. krauq has left
  347. krauq has joined
  348. intosi has joined
  349. pasdesushi has joined
  350. pasdesushi has left
  351. pasdesushi has joined
  352. pasdesushi has left
  353. Arne has joined
  354. lovetox has joined
  355. intosi has left
  356. antranigv has left
  357. pasdesushi has joined
  358. antranigv has joined
  359. pasdesushi has left
  360. pasdesushi has joined
  361. DebXWoody has left
  362. neshtaxmpp has left
  363. neshtaxmpp has joined
  364. DebXWoody has joined
  365. intosi has joined
  366. Lance has left
  367. Andrzej has left
  368. Andrzej has joined
  369. intosi has left
  370. lorddavidiii has left
  371. lorddavidiii has joined
  372. pasdesushi has left
  373. matkor has left
  374. intosi has joined
  375. Maranda Ge0rG: Metronome does, and also verify that the address is not a disposable one....
  376. arc has left
  377. jonas’ Maranda, how do you verify that it’s not disposable? :)
  378. arc has joined
  379. Maranda I pass the domain name to an external REST API which does that
  380. Maranda If it's catched as DEA it will invalid the registration
  381. Ge0rG > an external REST API That's how the internet works, right?
  382. adiaholic has left
  383. Maranda Ge0rG: if you want you can implement your own thing, and collect the data required... Tbh I found it more convenient to let someone else do the latter, and since.. Yes most ppl use a REST API.
  384. Maranda 😺
  385. Ge0rG Maranda: not criticizing you, I understand the trade-offs
  386. matkor has joined
  387. mathieui Oh non, those APIs are the bane of my existence since I use spamgourmet
  388. Maranda ... Had to lookup the DB I use in the code because it's years I don't touch it. Anyways it's https://www.nameapi.org/
  389. moparisthebest If you are going to do it that's probably a fine way, but... Why prohibit disposable emails at all
  390. mathieui moparisthebest, because that’s what spammers use
  391. Maranda moparisthebest: they're used by spammers to circumvent verification
  392. moparisthebest Spammers set up their own domains no problem
  393. SamWhited Spammers generally don't like to set up their own domains because other providers use domain reputation and if you setup a new domain you don't have a positive reputation to help you land in peoples inboxes even though the contents of your message looked kind of spammy.
  394. MattJ You're right, it should be a simple whitelist of gmail.com, outlook.com, yahoo.com
  395. Maranda moparisthebest: once they become detected and listed, nameapi will block those as well
  396. Maranda They do several checks
  397. Maranda Not just DEA
  398. Maranda It served me well enough over the years
  399. Zash MattJ, make sure to whitelist their MX'es so everyone with custom domains aren't blocked!
  400. floretta has left
  401. intosi has left
  402. chronosx88 has left
  403. floretta has joined
  404. paul has left
  405. Wojtek has left
  406. intosi has joined
  407. krauq has left
  408. krauq has joined
  409. eevvoor has left
  410. nyco has left
  411. Kev has left
  412. Kev has joined
  413. nyco has joined
  414. adiaholic has joined
  415. papatutuwawa has joined
  416. j.r has left
  417. lorddavidiii has left
  418. Wojtek has joined
  419. lorddavidiii has joined
  420. intosi has left
  421. j.r has joined
  422. Steve Kille has joined
  423. chronosx88 has joined
  424. pasdesushi has joined
  425. intosi has joined
  426. pasdesushi has left
  427. paul has joined
  428. lorddavidiii has left
  429. intosi has left
  430. fuana has joined
  431. Kev has left
  432. Kev has joined
  433. chronosx88 has left
  434. chronosx88 has joined
  435. Aleksej has joined
  436. fuana has left
  437. fuana has joined
  438. lorddavidiii has joined
  439. DebXWoody has left
  440. Andrzej has left
  441. intosi has joined
  442. arc has left
  443. arc has joined
  444. pasdesushi has joined
  445. Andrzej has joined
  446. fuana has left
  447. pasdesushi has left
  448. intosi has left
  449. pasdesushi has joined
  450. chronosx88 has left
  451. chronosx88 has joined
  452. pasdesushi has left
  453. pasdesushi has joined
  454. pasdesushi has left
  455. Wojtek has left
  456. pasdesushi has joined
  457. Yagiza has left
  458. intosi has joined
  459. stpeter has joined
  460. stpeter has left
  461. Andrzej has left
  462. pasdesushi has left
  463. APach has left
  464. APach has joined
  465. APach has left
  466. APach has joined
  467. intosi has left
  468. jcbrand has left
  469. Arne has left
  470. Arne has joined
  471. jcbrand has joined
  472. Andrzej has joined
  473. Guus has left
  474. krauq has left
  475. krauq has joined
  476. intosi has joined
  477. serge90 has left
  478. serge90 has joined
  479. krauq has left
  480. stpeter has joined
  481. stpeter has left
  482. krauq has joined
  483. floretta has left
  484. floretta has joined
  485. moparisthebest this is probably bad, I know SamWhited does Go XMPP stuff, anyone else? https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
  486. andrey.g has joined
  487. raghavgururajan has left
  488. jcbrand has left
  489. paul has left
  490. jonas’ moparisthebest: oh my
  491. moparisthebest I'm not absolutely positive whether this is a deal breaker for XMPP or not , looks like attribute/element ordering isn't preserved
  492. moparisthebest it is "unfixable" at the moment so they just dropped it
  493. intosi has left
  494. raghavgururajan has joined
  495. Kev I'm not sure it's a security vulnerability, but it's definitely not irrelevant, e.g. data forms.
  496. Kev Also Atom over pubsub, I guess.
  497. Wojtek has joined
  498. Andrzej has left
  499. intosi has joined
  500. arc has left
  501. Tobias has left
  502. chronosx88 has left
  503. chronosx88 has joined
  504. Kev has left
  505. moparisthebest this is old but I just saw it today too, a case of bad XML comment parsing causing a major security bug in iOS https://siguza.github.io/psychicpaper/ / https://twitter.com/s1guza/status/1255641164885131268
  506. alameyo has left
  507. moparisthebest https://i.imgflip.com/4qcxj6.jpg
  508. intosi has left
  509. Wojtek has left
  510. lorddavidiii has left
  511. lorddavidiii has joined
  512. david has left
  513. david has joined
  514. lovetox has left
  515. intosi has joined
  516. Mikaela has left
  517. j.r has left
  518. j.r has joined
  519. lorddavidiii has left
  520. lorddavidiii has joined
  521. raghavgururajan has left
  522. intosi has left
  523. chronosx88 has left
  524. chronosx88 has joined
  525. paul has joined
  526. papatutuwawa has left
  527. deuill has left
  528. intosi has joined
  529. alameyo has joined
  530. deuill has joined
  531. lorddavidiii has left
  532. Wojtek has joined
  533. Andrzej has joined
  534. lorddavidiii has joined
  535. intosi has left
  536. chronosx88 has left
  537. chronosx88 has joined
  538. andrey.g has left
  539. lorddavidiii has left
  540. andrey.g has joined
  541. raghavgururajan has joined
  542. Andrzej has left
  543. intosi has joined
  544. deuill has left
  545. deuill has joined
  546. raghavgururajan has left
  547. Wojtek has left
  548. intosi has left