XSF Discussion - 2021-11-08

It's really nice meeting you here and I'm very willing to teach you about trading,coach you on how to invest and work with you dealing on cryptocurrencies

^ already banned elsewhere

Do you want to invest now

I guess I'll be better off when I'm going to sleep now

Are you on telegram

As I told you in another muc Daniel max I prefere to burn my money in my own fireplace...

And we are on xmpp. Don't ask such stupid questions

I'm not talking with you my friend

meh

you didn't addressed a single person here so I thought you are talking to all of us 🙁

Okay

Do you have any experience before

I'm very sad that I don't have the chance to learn how to become rich

yes. I've burned money allready before

with a small ligher, you know?

I guess this was more effective then all of your tipps I could expect

So have you earn

I've earned. Sure

Okay

great

uh, the applications are a tad disappointing.

Huh, assuming all directors are elected Ralph would get a tie breaker vote (I think? Isn't he the executive director?) but if Ralph is on the board…

Constitutional crisis time!

Matt is ED

IIRC

Either way

Is this not already the case, with one board member leaving?

One board member is leaving? I guess so then

Wasn't this many moons ago?

Sam, I think one board member resigned some time during the last term

so we've been running on four board members for a while now

Oh fun; looks like it will be the same thing all next term then.

It hasn't seemed to be a problem in practice

Yah, hopefully there are no split votes and everyone just works towards consensus, I'd be more worried if it were the council I guess.

Don't worry, be happy

does anyone see any glaring problems with validating incoming SASL EXTERNAL s2s connections from .onion domains via initiating an outgoing connection to that .onion domain, and recording whatever TLS cert it sends as trusted for that domain ?

as opposed to what all implementations I'm aware of would do now, which is dialback

You can do that even without .onion

IIRC dwd wrote about "same cert validation" long long ago

https://xmpp.org/extensions/xep-0344.html#samecert

I don't recall how hidden services work (and haven't been involved since before the v3 ones, so they may be different now anyways), but surely Tor would have its own thing you could look up on the network to verify the connection? It hides you and the location of the service, but I thought the address and some key stored on the network somewhere could be used to authenticate the service still. Maybe you just need a Tor specific version of SASL EXTERNAL.

Some way to derive or connect the certificate from the .onion would be neat.

thanks! that's exactly what I meant.... so does anything implement this ?

There's half of same-cert validation as a Prosody module

I can't actually remember. I think I did this in M-Link, perhaps, and/or Metre.

well, this still involves dialback a bit

Well, it's still dialling back, yes.

But not using the dialback key.

In Prosody, at that point, it's already started Dialback so might as well proceed with it ...

Well, my view is that it's stronger to use same-cert than the key, and it saves a round-trip, so...

tor gives you the guarantee that if you try to contact example.onion you are actually connected to example.onion, so you can trust what cert it sends, can you then immediately trust whatever incoming connection also sends that same cert ?

Oh, so you're saying that if you connect outbound, blind, to example.onion then can you cache the cert?

yes, but only for example.onion obviously

moparisthebest, enable https://modules.prosody.im/mod_s2s_auth_samecert.html and try it?

unless mod_onions already does that

That is, I think, a different question. "same cert dialback" does make the assumption that the cert is used by inbound and outbound sessions at the same time, I think when you introduce longer-term caching, then you also introduce TOCTOU issues.

maybe you don't cache, maybe you make a new outgoing s2s connection for every incoming

moparisthebest, But then you're doing same-cert dialback.

what would it be if it just compares with the cert of an existing outgoing connection?

it's like tor-specific dialback-without-sending-or-recieving any <db XML

Yes, that should work.

moparisthebest, Ah, well. If you know a-priori that the cert is currently in use, then you can indeed offer EXTERNAL then.

moparisthebest, how is it tor specific?

ah

because normally your cert would match your hostname

and hence you don't even need to do the dialback dance

nevermind

normally "do I trust a cert" is "is it signed by a CA I trust", but with tor it can be "does example.onion send me this cert when I connect to it"

jonas’, Well, no, do mind. You could do this without Tor just as well, I think.

Is it now we realize we're not actually authenticating the outgoing connection?

with tor, connecting to example.onion is already validated when(before?) you connect

jonas’, Tor offers some additional protection against spoofing, so the outbound connection is in effect authenticated by Tor, so it's *better*, but if you have an outgoing connection over TLS/IP (not Tor) then you could choose to trust an inbound one from the same domain based on same-cert and EXTERNAL.

other non-tor things probably have this same property, like .i2p ? but I don't know enough about it

moparisthebest, The problem is there's no channel binding between TLS and Tor, AFAIK. So you're still vulnerable to the remote domain spoofing in some cases. But as I say, it's more secure against such attacks than plain IP.

in what way could it be spoofed ?

just started memberbot for our board&council elections

voted :)

Me too (and it let me, but then I realized I don't think I technically can)

:O

uh, indeed

Alex, ^

will be dropped from the votes

maybe give the list of allowed voters another look :)

I want to suggest some kind of whitelist in git of members, maybe based on hashes of jids or smth similar. This will make many things easier

all the JIDs are public anyway?

you know what this means, Sam needs prosecuted to the fullest extent of the law for hacking the XSF https://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-governor-threatens-to-prosecute-local-journalist-for-finding-exposed-state-data/ ;)

I don't live in Missouri; Georgia's governor is as much of a right wing asshole, but is also competent at being evil (unfortunately?)

JID is required in the membership application, so yeah

Alex, we could just add them to members.json and not render them to the website

(you can just add fields, they'll be ignored I guess)

jonas’ hashes? or real jids?

I meant "jids are already public in membership applications so no use hashing them for this"

I am fine with that. Then we could ask every member to PR their Jid

or multiple

on the wiki they are public, but sometimes decoded with (at) and (dot)......

I'll have a go at scraping them from there in a bit

👍

https://burtrum.org/up/e9d06221-b6dd-48a8-95cd-00e43af1ccfa/memberjids.txt

52 member jids here, some members had 2 etc, don't @ me for doing terrible things with html and regex: `curl https://wiki.xmpp.org/web/Membership_Applications_Q{1,2,3}_2021 https://wiki.xmpp.org/web/Membership_Applications_Q4_2020 | grep -Eo '/web/[^"]+Application_202[01]' apps.txt | sed 's@^@https://wiki.xmpp.org@' | xargs curl | sed -re 's/ \+ / /g' -e 's/ +at +/@/gi' -e 's/\[A\]/@/gi' -e 's/ *([(]|&lt;|\[)(at|ett|ät)([)]|&gt;|\]) */@/gi' -e 's/ +([(]|\[)?(dot|tod)([)]|\])? +/./gi' | grep -Ei '(xmpp|jid|jabber)' | grep '@' | grep -Eio '[^ ><",?]+( at |@)[^ ><",?]+\.[^ ><",?]+' | sed 's@.*xmpp:@@i' | grep -v 'mailto:' | sort -u | tee memberjids.txt`

https://wiki.xmpp.org/web/Florian_Schmaus_Application_2021 and https://wiki.xmpp.org/web/Arc_Riley_Application_2021 flow / arc get shamed for not including JID in their applications :)

https://wiki.xmpp.org/web/Daniel_Gultsch_Application_2021 https://wiki.xmpp.org/web/Matthew_Wild_Application_2021 https://wiki.xmpp.org/web/Yvo_Meeres_Application_2021 https://wiki.xmpp.org/web/Kim_Alvefur_Application_2020 were missed for having funky formats (need to add these manually) ✏

https://wiki.xmpp.org/web/Bartosz_Malkowski_Application_2021 https://wiki.xmpp.org/web/Joachim_Lindborg_Application_2020 links to user pages and so were missed and needs added manually

lastly https://wiki.xmpp.org/web/Davide_Conzon_Application_2021 has a @gmail.com JID which no longer exists right ?

otherwise I manually went through all the rest and made sure they were in the dumped file above

I get 'file not found'.

oops, remnants of my testing in the command, the full thing anyone can run to reproduce is `curl https://wiki.xmpp.org/web/Membership_Applications_Q{1,2,3}_2021 https://wiki.xmpp.org/web/Membership_Applications_Q4_2020 | grep -Eo '/web/[^"]+Application_202[01]' | sed 's@^@https://wiki.xmpp.org@' | xargs curl | sed -re 's/ \+ / /g' -e 's/ +at +/@/gi' -e 's/\[A\]/@/gi' -e 's/ *([(]|&lt;|\[)(at|ett|ät)([)]|&gt;|\]) */@/gi' -e 's/ +([(]|\[)?(dot|tod)([)]|\])? +/./gi' | grep -Ei '(xmpp|jid|jabber)' | grep '@' | grep -Eio '[^ ><",?]+( at |@)[^ ><",?]+\.[^ ><",?]+' | sed 's@.*xmpp:@@i' | grep -v 'mailto:' | sort -u | tee memberjids.txt`

(first one had apps.txt which I had written to to avoid continuously hitting wiki.xmpp.org while tweaking regexen)

could we output them with names? Then we could add an issue for our website and add them as a PR to the memberlist json, ideally as an array becasue some members have multiple.

``` curl https://wiki.xmpp.org/web/Membership_Applications_Q{1,2,3}_2021 https://wiki.xmpp.org/web/Membership_Applications_Q4_2020 | grep -Eo '/web/[^"]+Application_202[01]' | sed 's@^@https://wiki.xmpp.org@' | xargs -n1 sh -c 'curl -o "$(echo "$1" | sed -e 's@https://wiki.xmpp.org/web/@@' -e 's@.Application_.*@@')" $1' -- for file in *; do sed -re 's/ \+ / /g' -e 's/ +at +/@/gi' -e 's/\[A\]/@/gi' -e 's/ *([(]|&lt;|\[)(at|ett|ät)([)]|&gt;|\]) */@/gi' -e 's/ +([(]|\[)?(dot|tod)([)]|\])? +/./gi' "$file" | grep -Ei '(xmpp|jid|jabber)' | grep '@' | grep -Eio '[^ ><",?]+( at |@)[^ ><",?]+\.[^ ><",?]+' | sed 's@.*xmpp:@@i' | grep -v 'mailto:' | sed 's/\.$//' | sort -u | tr '\n' ' ' | sed -e 's/ $//' -e 's/ /", "/' -e 's/^/[ "/' -e 's/$/" ]/' | sponge "$file"; done; grep @ * > member_names_with_jids.txt ```

https://burtrum.org/up/ba2c2d00-cb57-4974-bd5b-255ebe5a9af7/member_names_with_jids.txt

some need some obvious cleaning up, `Waqas_Hussain:[ "jdev@muc.xmpp.org", "prosody@conference.prosody.im waqas@prosody.im xsf@muc.xmpp.org" ]`, but close enough

it does have the nice side effect of telling you which applicants we *do not* have JIDs for: ``` $ grep -L @ * Arc_Riley Bartosz_Malkowski Florian_Schmaus Joachim_Lindborg Kim_Alvefur ```

https://burtrum.org/up/68b35427-c621-4a7f-9b6f-03d7ffc1ff14/member_names_with_jids.txt

there, I manually corrected and filled in everything that I could, only missing are Arc_Riley and Florian_Schmaus, feel free to run a diff against the autogenerated output to see what I manually edited

👍

moparisthebest: parsing html with sed. I approve.

I suspected you would :P it works, shipit

(disclaimer: I wouldn't write production code like this but a one-off? absolutely)