-
wuuko
https://xmpp.org/community/security-notices/vulnerability-in-xmpp-server-dialback-implementations.html Nothing every app is %100 secure
-
emus
Ge0rG: if you give me some hints I can update this sections✎ -
emus
Ge0rG: if you give me some hints I can update this section ✏
-
Ge0rG
emus: I'm sorry, I'm missing context
-
emus
Ge0rG: once you said you planned to update the cve section on the xsf website
-
Ge0rG
emus: I'm not sure. I think I was interested in some tooling for extracting the <cve/> items from XEPs into a central place, but didn't do anything about it
-
emus
So otherwise all cve are listed in the xeps?
-
Ge0rG
emus: that was the idea behind my PR
-
emus
Okay, but my question was actually where is this information listed right now?
-
Ge0rG
emus: a start has been done with https://github.com/xsf/xeps/pull/1055
-
emus
So now people need to upgrade their xeps?
-
emus
Ge0rG: And still. apart from your good work - where have the CVEs been listed before, also in the xeps but without automation?✎ -
emus
Ge0rG: And still, apart from your good work - where have the CVEs been listed before, also in the xeps but without automation? ✏
-
Ge0rG
emus: I think there was only one or two CVEs mentioned in XEPs before. Some are listed on the wiki, others are just tribal knowledge
-
Ge0rG
emus: with the new <cve/> element, somebody could open PRs against the different XEPs that were "hit" before
-
Ge0rG
Like some of the CVEs I added to https://xmpp.org/extensions/xep-0280.html#security also affect XEP-0313
-
edhelas
I find surprising to add client related CVE into XEPs no ?
-
edhelas
like Monal and Dino for this PR
-
Ge0rG
edhelas: yes, that point was also brought up.
-
edhelas
ok :)
-
Ge0rG
edhelas: I think the fact that over a dozen clients all made the same error when implementing a XEP warrants a mention in the XEP.
-
edhelas
yup, i'm one of the faulty dev :p
-
edhelas
"it was just a forgotten if case"
-
Ge0rG
And given that XEPs are our major publishing mechanism, I thouht it wouldn't hurt too much to have it there.
-
emus
> Ge0rG escribió: > edhelas: I think the fact that over a dozen clients all made the same error when implementing a XEP warrants a mention in the XEP. I would agree with this. I think its okay to make clear that it happened in a particular implementation where other can learn from and I think this is valuable already
-
phryk
BTW does OMEMO "just" do double-ratchet encryption or does it do the "Signal Protocol" (fair warning: I'm not entirely sure what the difference is)
-
yushyin
it is an adaptation of the signal protocol, besides the double ratchet you also have the x3dh key protocol and also the xeddsa/vxeddsa signature schemes. alle three mentioned in the XEP
-
yushyin
you may also find the audit insightful/informative https://conversations.im/omemo/audit.pdf
-
Zash
https://xmpp.org/extensions/attic/xep-0384-0.3.0.html (the version in use) talks about SignalProtocol a bunch.
-
phryk
Thanks. :)
-
Ellenor Malik
phryk: Hello!
-
phryk
Ellenor Malik, Hello indeed. Do we already know each other? :)
-
Ellenor Malik
No. I'd like to dm you however
-
phryk
Sure, go ahead. But if you have XMPP-specific questions you'll probably get more useful answers if you post in here. :)
-
wuuko
https://upload.jabberfr.org/TLC9JXTlV_RaRgB5/Screenshot_20210726-202758.jpg
-
wuuko
Do I need to enter my account password?
-
wgreenhouse
wuuko: why ask here?
-
Zash
Looks like they have a captcha you need to solve to proceed.
-
wuuko
> Zash wrote: > Looks like they have a captcha you need to solve to proceed. İt says "Enter password"
-
wuuko
> wgreenhouse wrote: > wuuko: why ask here? Where do I have to ask?
-
Menel
People from jabber.ru. but its not the job of the people here to find it out where that may be.
-
Zash
Do you understand "to unblock (the messages) visit <link>" ?
-
chronosx88
> İt says "Enter password" where it says "Enter password"?
-
Zash
The gray bar at the bottom
-
wuuko
> Zash wrote: > The gray bar at the bottom Yes
-
chronosx88
so, why are you asking here?
-
wuuko
Ok.
-
Zash
chronosx88, while I agree it's not the optimal place for user support like this, where else?
-
Zash
Hrm. When I try this with Conversations, I don't even see that captcha message.
-
chronosx88
> chronosx88, while I agree it's not the optimal place for user support like this, where else? I think community room on jabber.ru
-
Zash
That also seems to have a captcha
-
wuuko
> chronosx88 wrote: > I think community room on jabber.ru jr
-
wuuko
Yes yes ru
-
bung9
I switched new account
-
bung9
> Old messages disappear when you change passwords
-
bung9
Yes, this is true. I think bad.
-
bung9
"unauthorized"
-
me9
Didn't you see all the people telling you not to ask here already? Find another chat. Like on search.jabber.network✎ -
me9
Didn't you see all the people telling you not to ask here already? Find another chat. Like on https://search.jabber.network ✏
-
Zash
ISTR someone on the Board saying it's okay to ask XMPP-related questions here.
-
Zash
All that seems to be misunderstandings about the captcha used. Switching account will not help with that.
-
bung9
> Zash wrote: > All that seems to be misunderstandings about the captcha used. Switching account will not help with that. No, I couldn't log in to the account when I changed the password. I am %100 sure password is true
-
bung9
Try it if you want, it'll be like I said
-
Zash
Changed the password where?
-
me9
> Zash wrote: > ISTR someone on the Board saying it's okay to ask XMPP-related questions here. Ok then.
-
bung9
https://upload.jabberfr.org/lotbVJP-uNUKmQCN/Screenshot_20210727-003535.jpg
-
bung9
Parola= password
-
Zash
The thing earlier did not want you to enter a password, that seems to be some bug or mistake. You needed to click the link and fill in the captha to proceed.
-
Menel
I tried it before. The password part will show up after a while if one clicks the link and goes back to the conversation app.
-
bung9
> Menel wrote: > I tried it before. The password part will show up after a while if one clicks the link and goes back to the conversation app. Which link?
-
bung9
I've tried twice, I can't get into the account
-
me9
bung9: Does the old password work?
-
bung9
> me9 wrote: > bung9: Does the old password work? No
-
Menel
The captcha
-
bung9
He says it's unauthorized.
-
me9
Then the password has to be wrong.
-
bung9
https://upload.jabberfr.org/lQyWOK6qmrGgQ0j0/Screenshot_20210727-004038.jpg
-
bung9
Here
-
Menel
Again: first leave the channel! Then: 1. Joint that channel again 2. Click the link 3. Fill the correct capcha 4 go back and you are in
-
bung9
I tried 30 seconds ago.
-
Menel
If you don't fill it correct it will have this "password" and you can't join
-
Menel
Ok so thats a different topic. You can join your own server anymore. You need to contact your server admin. We don't know your password✎ -
bung9
> I wrote: > I tried 30 seconds ago. Yetkisiz
-
Menel
Ok so thats a different topic. You can not join your own server anymore. You need to contact your server admin. We don't know your password ✏
-
bung9
Is it the same with everyone I meet?
-
Menel
I don't understand
-
bung9
Right now, I'm logged in with the old password. Not entered with new password
-
bung9
İf I change password, "yetkisiz" unauthorized
-
Menel
Then don't change?
-
me9
Didn't you just say the old password didn't work?
-
bung9
Not good if we have to change it
-
Zash
If you post your password in public you definitively should change it.
-
bung9
> me9 wrote: > Didn't you just say the old password didn't work? I don't get it eitherI don't get it either.
-
bung9
> Zash wrote: > If you post your password in public you definitively should change it. yes
-
bung9
> Zash wrote: > If you post your password in public you definitively should change it. Yes
-
bung9
> Zash wrote: > If you post your password in public you definitively should change it. It broke down while changing
-
Menel
Try again via the "change password" button.
-
Zash
Note that changing the password in the app might not change it in the account.
-
bung9
> Zash wrote: > Note that changing the password in the app might not change it in the account. Opening a new account seems to make sense.
-
bung9
Is what I'm going through normal?
-
me9
Nope.
-
me9
But in the case of something crashing during password change, errors are to be expected.
-
bung9
It's not a big deal. I can switch to a new account.
-
phryk
OMEMO is the only XMPP E2EE solution that works for file transfers, MUCs and A/V chat, right?
-
bung9
> I wrote: > It's not a big deal. I can switch to a new account. I don't think there's any other way.
-
mathieui
phryk: "omemo file transfer" is a hack that has nothing to do with omemo, OX should work in MUCs, and I don't know if there are efforts to replicate the omemo call signing, but the calls are otherwise E2EE anyway, you just lack the trust part
-
phryk
mathieui, nothing to do with omemo? it's not using the same cryptographic protocol?
-
phryk
and by calls being E2EE anyways, I assume you mean there's and end-to-end TLS session?
-
Zash
SRTP or ZRTP or whatsitcalled
-
phryk
Sounds like TLS to me. :)
-
phryk
Also, what's OX? never heard of it before this.
-
Menel
phryk: its pgp in the core.
-
phryk
Menel, got any source? can find nothing mentioning OX or PGP in the RFCs mentioned on xmpp.org…
-
Sam
OX is an XEP, not an RFC.
-
Menel
Its the new pgp. An older legacy one exists too. https://xmpp.org/extensions/xep-0373.html
-
Menel
And 374
-
phryk
Ooooh OX = Openpgp for Xmpp m)
-
mathieui
phryk: "omemo file transfer" is really "aes-encrypted http upload files with custom aesgcm:// links and the key as part of the URL, with that link sent inside an omemo session"
-
Menel
The old one still in use: https://xmpp.org/extensions/xep-0027.html
-
mathieui
Nothing omemo specific there
-
phryk
Huh, and was there never an XEP for adding OTR support to clients to begin with or was it just removed?
-
Menel
The only omemo part is the key sharing in the message.
-
Menel
That one? https://xmpp.org/extensions/xep-0364.html#intro > Huh, and was there never an XEP for adding OTR support to clients to begin with or was it just removed?
-
phryk
Yeah, but that's the only way to handle multi-device recipients without uploading once for every receiving key…
-
Zash
Menel, OTR is something you just do over whatever transport. There never was any negotiation for it other than OTR itself.
-
Menel
I see. Thats why I didn't find the historical xep
-
Zash
This has its pros and cons. It doesn't fit into XMPP very well, but it also works trough arbitrarily chained gateways, transports and bridges.
-
phryk
Yes, that one. just wasn't shown by default and I thought "deferred" was in the default selection^^
-
phryk
https://paste.xinu.at/ZqX54A/rmd I'm currently writing a text about XMPP – this is part of it dealing with E2EE – please tell me if anything is heinously wrong with it. ^^;
-
phryk
context: it's supposed to become a somewhat detailed explanation of some key features of XMPP and its ecosystem for non-techie lefties
-
moparisthebest
Seems fine, and applicable to right handed people too?
-
phryk
Thanks, also you're the second person making that joke today. :P
-
phryk
also also, don't i know you from fedi?
-
uhoreg
You may want to explain what you mean by "plausible deniability".
-
phryk
good point. :)