XSF Discussion - 2021-07-26


  1. wuuko

    https://xmpp.org/community/security-notices/vulnerability-in-xmpp-server-dialback-implementations.html Nothing every app is %100 secure

  2. emus

    Ge0rG: if you give me some hints I can update this sections

  3. emus

    Ge0rG: if you give me some hints I can update this section

  4. Ge0rG

    emus: I'm sorry, I'm missing context

  5. emus

    Ge0rG: once you said you planned to update the cve section on the xsf website

  6. Ge0rG

    emus: I'm not sure. I think I was interested in some tooling for extracting the <cve/> items from XEPs into a central place, but didn't do anything about it

  7. emus

    So otherwise all cve are listed in the xeps?

  8. Ge0rG

    emus: that was the idea behind my PR

  9. emus

    Okay, but my question was actually where is this information listed right now?

  10. Ge0rG

    emus: a start has been done with https://github.com/xsf/xeps/pull/1055

  11. emus

    So now people need to upgrade their xeps?

  12. emus

    Ge0rG: And still. apart from your good work - where have the CVEs been listed before, also in the xeps but without automation?

  13. emus

    Ge0rG: And still, apart from your good work - where have the CVEs been listed before, also in the xeps but without automation?

  14. Ge0rG

    emus: I think there was only one or two CVEs mentioned in XEPs before. Some are listed on the wiki, others are just tribal knowledge

  15. Ge0rG

    emus: with the new <cve/> element, somebody could open PRs against the different XEPs that were "hit" before

  16. Ge0rG

    Like some of the CVEs I added to https://xmpp.org/extensions/xep-0280.html#security also affect XEP-0313

  17. edhelas

    I find surprising to add client related CVE into XEPs no ?

  18. edhelas

    like Monal and Dino for this PR

  19. Ge0rG

    edhelas: yes, that point was also brought up.

  20. edhelas

    ok :)

  21. Ge0rG

    edhelas: I think the fact that over a dozen clients all made the same error when implementing a XEP warrants a mention in the XEP.

  22. edhelas

    yup, i'm one of the faulty dev :p

  23. edhelas

    "it was just a forgotten if case"

  24. Ge0rG

    And given that XEPs are our major publishing mechanism, I thouht it wouldn't hurt too much to have it there.

  25. emus

    > Ge0rG escribió: > edhelas: I think the fact that over a dozen clients all made the same error when implementing a XEP warrants a mention in the XEP. I would agree with this. I think its okay to make clear that it happened in a particular implementation where other can learn from and I think this is valuable already

  26. phryk

    BTW does OMEMO "just" do double-ratchet encryption or does it do the "Signal Protocol" (fair warning: I'm not entirely sure what the difference is)

  27. yushyin

    it is an adaptation of the signal protocol, besides the double ratchet you also have the x3dh key protocol and also the xeddsa/vxeddsa signature schemes. alle three mentioned in the XEP

  28. yushyin

    you may also find the audit insightful/informative https://conversations.im/omemo/audit.pdf

  29. Zash

    https://xmpp.org/extensions/attic/xep-0384-0.3.0.html (the version in use) talks about SignalProtocol a bunch.

  30. phryk

    Thanks. :)

  31. Ellenor Malik

    phryk: Hello!

  32. phryk

    Ellenor Malik, Hello indeed. Do we already know each other? :)

  33. Ellenor Malik

    No. I'd like to dm you however

  34. phryk

    Sure, go ahead. But if you have XMPP-specific questions you'll probably get more useful answers if you post in here. :)

  35. wuuko

    https://upload.jabberfr.org/TLC9JXTlV_RaRgB5/Screenshot_20210726-202758.jpg

  36. wuuko

    Do I need to enter my account password?

  37. wgreenhouse

    wuuko: why ask here?

  38. Zash

    Looks like they have a captcha you need to solve to proceed.

  39. wuuko

    > Zash wrote: > Looks like they have a captcha you need to solve to proceed. İt says "Enter password"

  40. wuuko

    > wgreenhouse wrote: > wuuko: why ask here? Where do I have to ask?

  41. Menel

    People from jabber.ru. but its not the job of the people here to find it out where that may be.

  42. Zash

    Do you understand "to unblock (the messages) visit <link>" ?

  43. chronosx88

    > İt says "Enter password" where it says "Enter password"?

  44. Zash

    The gray bar at the bottom

  45. wuuko

    > Zash wrote: > The gray bar at the bottom Yes

  46. chronosx88

    so, why are you asking here?

  47. wuuko

    Ok.

  48. Zash

    chronosx88, while I agree it's not the optimal place for user support like this, where else?

  49. Zash

    Hrm. When I try this with Conversations, I don't even see that captcha message.

  50. chronosx88

    > chronosx88, while I agree it's not the optimal place for user support like this, where else? I think community room on jabber.ru

  51. Zash

    That also seems to have a captcha

  52. wuuko

    > chronosx88 wrote: > I think community room on jabber.ru jr

  53. wuuko

    Yes yes ru

  54. bung9

    I switched new account

  55. bung9

    > Old messages disappear when you change passwords

  56. bung9

    Yes, this is true. I think bad.

  57. bung9

    "unauthorized"

  58. me9

    Didn't you see all the people telling you not to ask here already? Find another chat. Like on search.jabber.network

  59. me9

    Didn't you see all the people telling you not to ask here already? Find another chat. Like on https://search.jabber.network

  60. Zash

    ISTR someone on the Board saying it's okay to ask XMPP-related questions here.

  61. Zash

    All that seems to be misunderstandings about the captcha used. Switching account will not help with that.

  62. bung9

    > Zash wrote: > All that seems to be misunderstandings about the captcha used. Switching account will not help with that. No, I couldn't log in to the account when I changed the password. I am %100 sure password is true

  63. bung9

    Try it if you want, it'll be like I said

  64. Zash

    Changed the password where?

  65. me9

    > Zash wrote: > ISTR someone on the Board saying it's okay to ask XMPP-related questions here. Ok then.

  66. bung9

    https://upload.jabberfr.org/lotbVJP-uNUKmQCN/Screenshot_20210727-003535.jpg

  67. bung9

    Parola= password

  68. Zash

    The thing earlier did not want you to enter a password, that seems to be some bug or mistake. You needed to click the link and fill in the captha to proceed.

  69. Menel

    I tried it before. The password part will show up after a while if one clicks the link and goes back to the conversation app.

  70. bung9

    > Menel wrote: > I tried it before. The password part will show up after a while if one clicks the link and goes back to the conversation app. Which link?

  71. bung9

    I've tried twice, I can't get into the account

  72. me9

    bung9: Does the old password work?

  73. bung9

    > me9 wrote: > bung9: Does the old password work? No

  74. Menel

    The captcha

  75. bung9

    He says it's unauthorized.

  76. me9

    Then the password has to be wrong.

  77. bung9

    https://upload.jabberfr.org/lQyWOK6qmrGgQ0j0/Screenshot_20210727-004038.jpg

  78. bung9

    Here

  79. Menel

    Again: first leave the channel! Then: 1. Joint that channel again 2. Click the link 3. Fill the correct capcha 4 go back and you are in

  80. bung9

    I tried 30 seconds ago.

  81. Menel

    If you don't fill it correct it will have this "password" and you can't join

  82. Menel

    Ok so thats a different topic. You can join your own server anymore. You need to contact your server admin. We don't know your password

  83. bung9

    > I wrote: > I tried 30 seconds ago. Yetkisiz

  84. Menel

    Ok so thats a different topic. You can not join your own server anymore. You need to contact your server admin. We don't know your password

  85. bung9

    Is it the same with everyone I meet?

  86. Menel

    I don't understand

  87. bung9

    Right now, I'm logged in with the old password. Not entered with new password

  88. bung9

    İf I change password, "yetkisiz" unauthorized

  89. Menel

    Then don't change?

  90. me9

    Didn't you just say the old password didn't work?

  91. bung9

    Not good if we have to change it

  92. Zash

    If you post your password in public you definitively should change it.

  93. bung9

    > me9 wrote: > Didn't you just say the old password didn't work? I don't get it eitherI don't get it either.

  94. bung9

    > Zash wrote: > If you post your password in public you definitively should change it. yes

  95. bung9

    > Zash wrote: > If you post your password in public you definitively should change it. Yes

  96. bung9

    > Zash wrote: > If you post your password in public you definitively should change it. It broke down while changing

  97. Menel

    Try again via the "change password" button.

  98. Zash

    Note that changing the password in the app might not change it in the account.

  99. bung9

    > Zash wrote: > Note that changing the password in the app might not change it in the account. Opening a new account seems to make sense.

  100. bung9

    Is what I'm going through normal?

  101. me9

    Nope.

  102. me9

    But in the case of something crashing during password change, errors are to be expected.

  103. bung9

    It's not a big deal. I can switch to a new account.

  104. phryk

    OMEMO is the only XMPP E2EE solution that works for file transfers, MUCs and A/V chat, right?

  105. bung9

    > I wrote: > It's not a big deal. I can switch to a new account. I don't think there's any other way.

  106. mathieui

    phryk: "omemo file transfer" is a hack that has nothing to do with omemo, OX should work in MUCs, and I don't know if there are efforts to replicate the omemo call signing, but the calls are otherwise E2EE anyway, you just lack the trust part

  107. phryk

    mathieui, nothing to do with omemo? it's not using the same cryptographic protocol?

  108. phryk

    and by calls being E2EE anyways, I assume you mean there's and end-to-end TLS session?

  109. Zash

    SRTP or ZRTP or whatsitcalled

  110. phryk

    Sounds like TLS to me. :)

  111. phryk

    Also, what's OX? never heard of it before this.

  112. Menel

    phryk: its pgp in the core.

  113. phryk

    Menel, got any source? can find nothing mentioning OX or PGP in the RFCs mentioned on xmpp.org…

  114. Sam

    OX is an XEP, not an RFC.

  115. Menel

    Its the new pgp. An older legacy one exists too. https://xmpp.org/extensions/xep-0373.html

  116. Menel

    And 374

  117. phryk

    Ooooh OX = Openpgp for Xmpp m)

  118. mathieui

    phryk: "omemo file transfer" is really "aes-encrypted http upload files with custom aesgcm:// links and the key as part of the URL, with that link sent inside an omemo session"

  119. Menel

    The old one still in use: https://xmpp.org/extensions/xep-0027.html

  120. mathieui

    Nothing omemo specific there

  121. phryk

    Huh, and was there never an XEP for adding OTR support to clients to begin with or was it just removed?

  122. Menel

    The only omemo part is the key sharing in the message.

  123. Menel

    That one? https://xmpp.org/extensions/xep-0364.html#intro > Huh, and was there never an XEP for adding OTR support to clients to begin with or was it just removed?

  124. phryk

    Yeah, but that's the only way to handle multi-device recipients without uploading once for every receiving key…

  125. Zash

    Menel, OTR is something you just do over whatever transport. There never was any negotiation for it other than OTR itself.

  126. Menel

    I see. Thats why I didn't find the historical xep

  127. Zash

    This has its pros and cons. It doesn't fit into XMPP very well, but it also works trough arbitrarily chained gateways, transports and bridges.

  128. phryk

    Yes, that one. just wasn't shown by default and I thought "deferred" was in the default selection^^

  129. phryk

    https://paste.xinu.at/ZqX54A/rmd I'm currently writing a text about XMPP – this is part of it dealing with E2EE – please tell me if anything is heinously wrong with it. ^^;

  130. phryk

    context: it's supposed to become a somewhat detailed explanation of some key features of XMPP and its ecosystem for non-techie lefties

  131. moparisthebest

    Seems fine, and applicable to right handed people too?

  132. phryk

    Thanks, also you're the second person making that joke today. :P

  133. phryk

    also also, don't i know you from fedi?

  134. uhoreg

    You may want to explain what you mean by "plausible deniability".

  135. phryk

    good point. :)