XSF Discussion - 2020-12-14


  1. darkijah

    hello

  2. darkijah

    anyone there?

  3. MattJ

    @SCAM: FOSDEM call for stands is open, though hopefully nobody is actually relying on me to know that :)

  4. flow

    hmm, online stands?

  5. MattJ

    Yes, online stands

  6. MattJ

    I think it would be good to issue (as early as possible) a call for content from projects

  7. MattJ

    People may need time to prepare

  8. Zash

    How does an online stand even work?

  9. SamWhited

    Video chat with slides and the website shared?

  10. antranigv

    Is there any "reset password" standard?

  11. antranigv

    I was thinking of this: the user asks for "reset password", the server looks for emails in the VCard, and we send the "link", say via HTTP, OR a new password, to their specified email.

  12. MattJ

    I'm not aware of a standard for that, no. Also using the vCard is unwise because it's typically not verified (so a typo could grant someone else access to the account, etc.)

  13. mathieui

    would be nice to have a standard way of reaching the user as a service or admin though

  14. MattJ

    Also I may not want to publish an email but still have one registered, or I may want to use a different email for my account but publish a different public email address

  15. mathieui

    We often have to correlate the little data we have when we get a "lost password" request

  16. MattJ

    For Prosody I'm planning to work on verified email (and possibly phone number) support, which would help a lot with that

  17. jonas’

    :-O

  18. SamWhited

    It's not widely supported, but XEP-0389 handles password reset

  19. MattJ

    Ah yes

  20. MattJ

    So the future is hopeful :)

  21. Ge0rG

    SamWhited: by asking for an email during EIBR?

  22. antranigv

    MattJ, that would be nice, I run a mix of prosody and ejabberd, but the main jabber.am server is still prosody, and would love to see that.

  23. SamWhited

    Sure, that would be one way

  24. SamWhited

    You could also do it after registration. Eventually maybe define a URI to open the client and continue the reset process

  25. Daniel

    In some scenarios it might make sense to tie the account registration to SMS verification anyway.

  26. SamWhited

    (eIBR can also do that; really this is the use case I had in mind when I designed it :) )

  27. Ge0rG

    how do you get the URI after you lost your password?

  28. Ge0rG

    Daniel: how is quicksy going btw?

  29. Daniel

    Terribly

  30. SamWhited

    Ge0rG: eIBR works before login, so somewhere in your client you'd pick "I forgot my password" or something and it would just select the eIBR feature instead of the normal auth feature

  31. Ge0rG

    SamWhited: ah well, doing oob authentication during password reset is probably not the challenging part ;)

  32. Ge0rG

    I was looking into how to make the users define the oob channel in advance in a sensible way

  33. SamWhited

    Ge0rG: I guess I'm not sure what you mean? What is "define the oob channel?"

  34. Ge0rG

    SamWhited: a user needs to give an email address / phone number / avian carrier coordinates at some time, and the server needs to verify that

  35. Ge0rG

    it shouldn't be mandatory though

  36. SamWhited

    Ge0rG: if you're using eIBR you could use the dataform challenge and just ask for that stuff, or you could define your own more specific challenge if dataforms aren't desired

  37. Daniel

    Ge0rG: I think you need to transport the actual carrier, not the coordinates

  38. Daniel

    Like Mail it in or something

  39. Zash

    Ad-hoc command?

  40. Ge0rG

    SamWhited: well, passing an email during IBR has been a thing for seventeen years now

  41. Ge0rG

    I'm not sure if any server implementation will actually verify that email address

  42. MattJ

    Prosody doesn't, currently

  43. SamWhited

    Sure, how the server actually implements things is up to them

  44. Ge0rG

    Daniel: good point. I'm not sure if that's in scope for eIBR though

  45. Ge0rG

    intergrated IM solutions can do nifty things like https://developers.google.com/identity/sms-retriever/overview

  46. dwd

    We did a password reset system for a failed product at Surevine. Built around two SASL mechanisms, one for the "I forgot my password" bit, and a one-time reset code one to handle the "Click here to reset your password" link.

  47. Maranda

    Ge0rG: Metronome does, and also verify that the address is not a disposable one....

  48. jonas’

    Maranda, how do you verify that it’s not disposable? :)

  49. Maranda

    I pass the domain name to an external REST API which does that

  50. Maranda

    If it's catched as DEA it will invalid the registration

  51. Ge0rG

    > an external REST API That's how the internet works, right?

  52. Maranda

    Ge0rG: if you want you can implement your own thing, and collect the data required... Tbh I found it more convenient to let someone else do the latter, and since.. Yes most ppl use a REST API.

  53. Maranda

    😺

  54. Ge0rG

    Maranda: not criticizing you, I understand the trade-offs

  55. mathieui

    Oh non, those APIs are the bane of my existence since I use spamgourmet

  56. Maranda

    ... Had to lookup the DB I use in the code because it's years I don't touch it. Anyways it's https://www.nameapi.org/

  57. moparisthebest

    If you are going to do it that's probably a fine way, but... Why prohibit disposable emails at all

  58. mathieui

    moparisthebest, because that’s what spammers use

  59. Maranda

    moparisthebest: they're used by spammers to circumvent verification

  60. moparisthebest

    Spammers set up their own domains no problem

  61. SamWhited

    Spammers generally don't like to set up their own domains because other providers use domain reputation and if you setup a new domain you don't have a positive reputation to help you land in peoples inboxes even though the contents of your message looked kind of spammy.

  62. MattJ

    You're right, it should be a simple whitelist of gmail.com, outlook.com, yahoo.com

  63. Maranda

    moparisthebest: once they become detected and listed, nameapi will block those as well

  64. Maranda

    They do several checks

  65. Maranda

    Not just DEA

  66. Maranda

    It served me well enough over the years

  67. Zash

    MattJ, make sure to whitelist their MX'es so everyone with custom domains aren't blocked!

  68. moparisthebest

    this is probably bad, I know SamWhited does Go XMPP stuff, anyone else? https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

  69. jonas’

    moparisthebest: oh my

  70. moparisthebest

    I'm not absolutely positive whether this is a deal breaker for XMPP or not , looks like attribute/element ordering isn't preserved

  71. moparisthebest

    it is "unfixable" at the moment so they just dropped it

  72. Kev

    I'm not sure it's a security vulnerability, but it's definitely not irrelevant, e.g. data forms.

  73. Kev

    Also Atom over pubsub, I guess.

  74. moparisthebest

    this is old but I just saw it today too, a case of bad XML comment parsing causing a major security bug in iOS https://siguza.github.io/psychicpaper/ / https://twitter.com/s1guza/status/1255641164885131268

  75. moparisthebest

    https://i.imgflip.com/4qcxj6.jpg