XSF Discussion - 2022-02-09

  1. djorz has left

  2. emus has left

  3. intosi has left

  4. intosi has joined

  5. adiaholic has joined

  6. adiaholic has left

  7. restive_monk has joined

  8. wladmis has left

  9. wladmis has joined

  10. wladmis has left

  11. floretta has left

  12. wladmis has joined

  13. millesimus has left

  14. wladmis has left

  15. intosi has left

  16. wladmis has joined

  17. intosi has joined

  18. kyemxden has left

  19. kyemxden has joined

  20. millesimus has joined

  21. restive_monk has left

  22. վարյա has left

  23. վարյա has joined

  24. floretta has joined

  25. Calvin has left

  26. rq77 has joined

  27. restive_monk has joined

  28. BASSGOD has left

  29. wladmis has left

  30. wladmis has joined

  31. Andrzej has joined

  32. karoshi has left

  33. wurstsalat has left

  34. rq77 has left

  35. Seve has left

  36. BASSGOD has joined

  37. tykayn has left

  38. intosi has left

  39. intosi has joined

  40. intosi has left

  41. Andrzej has left

  42. intosi has joined

  43. qwestion has joined

  44. floretta has left

  45. karoshi has joined

  46. BASSGOD has left

  47. վարյա has left

  48. BASSGOD has joined

  49. վարյա has joined

  50. adiaholic has joined

  51. qwestion has left

  52. debacle has left

  53. qwestion has joined

  54. neshtaxmpp has left

  55. lskdjf has left

  56. intosi has left

  57. adiaholic has left

  58. neshtaxmpp has joined

  59. intosi has joined

  60. Calvin has joined

  61. Matthew has left

  62. Rixon 👁🗨 has left

  63. homebeach has left

  64. uhoreg has left

  65. Half-Shot has left

  66. Half-Shot has joined

  67. Matthew has joined

  68. Rixon 👁🗨 has joined

  69. uhoreg has joined

  70. homebeach has joined

  71. adiaholic has joined

  72. floretta has joined

  73. adiaholic has left

  74. intosi has left

  75. intosi has joined

  76. karoshi has left

  77. xnamed has left

  78. wladmis has left

  79. wladmis has joined

  80. intosi has left

  81. վարյա has left

  82. վարյա has joined

  83. intosi has joined

  84. homebeach has left

  85. Rixon 👁🗨 has left

  86. uhoreg has left

  87. Matthew has left

  88. Half-Shot has left

  89. Half-Shot has joined

  90. Matthew has joined

  91. Rixon 👁🗨 has joined

  92. uhoreg has joined

  93. homebeach has joined

  94. BASSGOD has left

  95. adiaholic has joined

  96. neshtaxmpp has left

  97. floretta has left

  98. Steve Kille has left

  99. Kev has left

  100. Steve Kille has joined

  101. Kev has joined

  102. BASSGOD has joined

  103. karoshi has joined

  104. neshtaxmpp has joined

  105. floretta has joined

  106. intosi has left

  107. millesimus has left

  108. millesimus has joined

  109. BASSGOD has left

  110. intosi has joined

  111. Andrzej has joined

  112. BASSGOD has joined

  113. Andrzej has left

  114. intosi has left

  115. վարյա has left

  116. վարյա has joined

  117. millesimus has left

  118. Alastair Hogge has left

  119. Alastair Hogge has joined

  120. Titi has left

  121. BASSGOD has left

  122. Titi has joined

  123. kyemxden has left

  124. kyemxden has joined

  125. BASSGOD has joined

  126. rafasaurus has left

  127. millesimus has joined

  128. marc0s has left

  129. marc0s has joined

  130. Andrzej has joined

  131. rafasaurus has joined

  132. Andrzej has left

  133. intosi has joined

  134. intosi has left

  135. Yagiza has joined

  136. daags has joined

  137. Thilo Molitor has left

  138. Thilo Molitor has joined

  139. rafasaurus has left

  140. stp has joined

  141. qy has left

  142. qy has joined

  143. adiaholic has left

  144. adiaholic has joined

  145. intosi has joined

  146. chronosx88 has joined

  147. moparisthebest

    am I missing it somewhere or does the DNS method here have a giant security hole https://xmpp.org/extensions/xep-0156.html ?

  148. nyco has left

  149. APach has left

  150. moparisthebest

    you want to connect to example.org , _xmppconnect.example.org tells you to connect to wss://evil.com/xmpp , is that ok?

  151. moparisthebest

    if you grab host-meta from https://example.org/ that doesn't have the same problem, also if you have DNSSEC on example.org you have no issue, but it doesn't mention either

  152. Alex has left

  153. floretta has left

  154. Calvin has left

  155. chronosx88 has left

  156. chronosx88 has joined

  157. վարյա has left

  158. վարյա has joined

  159. intosi has left

  160. floretta has joined

  161. pasdesushi has joined

  162. msavoritias has joined

  163. rafasaurus has joined

  164. վարյա has left

  165. վարյա has joined

  166. marc0s has left

  167. marc0s has joined

  168. stp has left

  169. adiaholic has left

  170. chronosx88 has left

  171. chronosx88 has joined

  172. karoshi has left

  173. restive_monk has left

  174. adiaholic has joined

  175. intosi has joined

  176. qwestion has left

  177. վարյա has left

  178. վարյա has joined

  179. atomicwatch has left

  180. վարյա has left

  181. վարյա has joined

  182. Tobias has joined

  183. mdosch

    Doesn't evil.com still have to present a cert valid for example.org like with normal SRV records?

  184. atomicwatch has joined

  185. Seve has joined

  186. pasdesushi has left

  187. millesimus has left

  188. restive_monk has joined

  189. intosi has left

  190. վարյա has left

  191. վարյա has joined

  192. adiaholic has left

  193. gooya has joined

  194. adiaholic has joined

  195. pasdesushi has joined

  196. jcbrand has joined

  197. moparisthebest

    that would be trustworthy, but XEP-0156 doesn't mention that as far as I see ?

  198. moparisthebest

    and which domain do you send in SNI ?

  199. restive_monk has left

  200. wladmis has left

  201. restive_monk has joined

  202. me9 has joined

  203. serge90 has left

  204. restive_monk has left

  205. restive_monk has joined

  206. atomicwatch has left

  207. restive_monk has left

  208. Mikaela has joined

  209. moparisthebest

    I'm also unsure if XEP-0368 is correct in relation to SNI, if example.org 's SRV DNS response is DNSSEC signed and it says xmpp.example.org is the target, which name do you include in SNI ?

  210. intosi has joined

  211. restive_monk has joined

  212. Menel has joined

  213. norkki has joined

  214. norkki has left

  215. Paganini has left

  216. dwd has joined

  217. վարյա has left

  218. վարյա has joined

  219. atomicwatch has joined

  220. ti_gj06 has joined

  221. wurstsalat has joined

  222. rafasaurus has left

  223. restive_monk has left

  224. dwd has left

  225. intosi has left

  226. Andrzej has joined

  227. restive_monk has joined

  228. me9 has left

  229. rafasaurus has joined

  230. վարյա has left

  231. harry837374884 has joined

  232. adiaholic has left

  233. kurisu has left

  234. kurisu has joined

  235. adiaholic has joined

  236. jgart has left

  237. Andrzej has left

  238. Steve Kille has left

  239. Steve Kille has joined

  240. karoshi has joined

  241. Steve Kille has left

  242. marc0s has left

  243. marc0s has joined

  244. BASSGOD has left

  245. adiaholic has left

  246. adiaholic has joined

  247. Steve Kille has joined

  248. matkor has left

  249. guus.der.kinderen has left

  250. guus.der.kinderen has joined

  251. marc0s has left

  252. marc0s has joined

  253. Titi has left

  254. marc0s has left

  255. marc0s has joined

  256. djorz has joined

  257. emus has joined

  258. BASSGOD has joined

  259. marc0s has left

  260. marc0s has joined

  261. marc0s has left

  262. marc0s has joined

  263. floretta has left

  264. intosi has joined

  265. marc0s has left

  266. marc0s has joined

  267. matkor has joined

  268. marc0s has left

  269. marc0s has joined

  270. adiaholic has left

  271. marc0s has left

  272. marc0s has joined

  273. marc0s has left

  274. marc0s has joined

  275. floretta has joined

  276. djorz has left

  277. վարյա has joined

  278. intosi has left

  279. u70jfzo5eyeb468b9o has joined

  280. harry837374884 has left

  281. floretta has left

  282. վարյա has left

  283. վարյա has joined

  284. adiaholic has joined

  285. mdosch

    Is this the stuff in RFC7712?

  286. intosi has joined

  287. flow

    moparisthebest, it's the same situation with aunauthenticated DNS SRV RRs, isn't it?

  288. flow

    moparisthebest, it's the same situation with unauthenticated DNS SRV RRs, isn't it?

  289. flow

    so you perform the authentication of the XMPP service the same way as you would if it was an unauthenticated DNS SRV RR that pointed you to wss://evil.com/xmpp

  290. flow

    that is, check if the presented x509 certificate authenticates example.org

  291. Menel

    The only question is: do the available web clients do it correctly...

  292. ti_gj06 has left

  293. Titi has joined

  294. harry837374884 has joined

  295. flow

    I wouldn't restrict that question to web clients, websockets are used by others too

  296. jonas’


  297. flow

    That said, we do a terrible job documenting best practices regarding authentication and authorization in XMPP

  298. flow

    it appears, as moparisthebest already found, that the related information is scattered around multiple places

  299. Alex has joined

  300. BASSGOD has left

  301. Menel

    If I've time, I'll try to mitm conversejs later this day...

  302. վարյա has left

  303. harry837374884 has left

  304. marc0s has left

  305. marc0s has joined

  306. marc0s has left

  307. marc0s has joined

  308. restive_monk has left

  309. marc0s has left

  310. marc0s has joined

  311. Zash

    Converse.js doesn't do DNS TXT lookups

  312. marc0s has left

  313. marc0s has joined

  314. Menel

    Was already doubting if it does, thanks for the info..

  315. andrey.g has joined

  316. marc0s has left

  317. marc0s has joined

  318. վարյա has joined

  319. harry837374884 has joined

  320. Steve Kille has left

  321. ti_gj06 has joined

  322. Steve Kille has joined

  323. marc0s has left

  324. marc0s has joined

  325. Steve Kille has left

  326. Kev has left

  327. floretta has joined

  328. Kev has joined

  329. Kev has left

  330. Kev has joined

  331. marc0s has left

  332. marc0s has joined

  333. restive_monk has joined

  334. Friendly Resident Cynic has left

  335. Friendly Resident Cynic has joined

  336. tykayn has joined

  337. վարյա has left

  338. վարյա has joined

  339. Andrzej has joined

  340. stp has joined

  341. վարյա has left

  342. վարյա has joined

  343. huhn has joined

  344. Mikaela has left

  345. վարյա has left

  346. վարյա has joined

  347. floretta has left

  348. xecks has joined

  349. Andrzej has left

  350. stp has left

  351. harry837374884 has left

  352. harry837374884 has joined

  353. huhn has left

  354. floretta has joined

  355. BASSGOD has joined

  356. stp has joined

  357. վարյա has left

  358. վարյա has joined

  359. marc0s has left

  360. marc0s has joined

  361. Friendly Resident Cynic has left

  362. Friendly Resident Cynic has joined

  363. debacle has joined

  364. stp has left

  365. lskdjf has joined

  366. huhn has joined

  367. stp has joined

  368. andrey.g has left

  369. millesimus has joined

  370. Steve Kille has joined

  371. Wojtek has joined

  372. Steve Kille has left

  373. Steve Kille has joined

  374. millesimus has left

  375. Andrzej has joined

  376. emus

    Hey Board, if one if you wants to be invited as Org Admin too just let me know

  377. Steve Kille has left

  378. u70jfzo5eyeb468b9o has left

  379. Wojtek has left

  380. Wojtek has joined

  381. Guus has joined

  382. u70jfzo5eyeb468b9o has joined

  383. վարյա has left

  384. Wojtek has left

  385. Wojtek has joined

  386. վարյա has joined

  387. ti_gj06 has left

  388. millesimus has joined

  389. ti_gj06 has joined

  390. millesimus has left

  391. millesimus has joined

  392. antranigv has left

  393. rafasaurus has left

  394. Wojtek has left

  395. Wojtek has joined

  396. adiaholic has left

  397. adiaholic has joined

  398. վարյա has left

  399. neshtaxmpp has left

  400. neshtaxmpp has joined

  401. antranigv has joined

  402. վարյա has joined

  403. argentum has left

  404. floretta has left

  405. adiaholic has left

  406. adiaholic has joined

  407. Rixon 👁🗨 has left

  408. uhoreg has left

  409. homebeach has left

  410. Matthew has left

  411. Half-Shot has left

  412. Half-Shot has joined

  413. Matthew has joined

  414. Rixon 👁🗨 has joined

  415. uhoreg has joined

  416. homebeach has joined

  417. adiaholic has left

  418. adiaholic has joined

  419. restive_monk has left

  420. Steve Kille has joined

  421. pasdesushi has left

  422. harry837374884 has left

  423. harry837374884 has joined

  424. goffi has left

  425. BASSGOD has left

  426. pasdesushi has joined

  427. Rixon 👁🗨 has left

  428. uhoreg has left

  429. homebeach has left

  430. Matthew has left

  431. Half-Shot has left

  432. Half-Shot has joined

  433. Matthew has joined

  434. Rixon 👁🗨 has joined

  435. uhoreg has joined

  436. homebeach has joined

  437. BASSGOD has joined

  438. intosi has left

  439. intosi has joined

  440. wladmis has joined

  441. floretta has joined

  442. restive_monk has joined

  443. pasdesushi has left

  444. millesimus has left

  445. pasdesushi has joined

  446. intosi has left

  447. intosi has joined

  448. adiaholic has left

  449. Steve Kille has left

  450. robertooo has left

  451. adiaholic has joined

  452. xnamed has joined

  453. վարյա has left

  454. վարյա has joined

  455. intosi has left

  456. intosi has joined

  457. Paganini has joined

  458. Mikaela has joined

  459. neshtaxmpp has left

  460. neshtaxmpp has joined

  461. adiaholic has left

  462. floretta has left

  463. Steve Kille has joined

  464. dwd has joined

  465. Steve Kille has left

  466. Steve Kille has joined

  467. adiaholic has joined

  468. huhn has left

  469. homebeach has left

  470. Matthew has left

  471. Rixon 👁🗨 has left

  472. uhoreg has left

  473. Half-Shot has left

  474. Half-Shot has joined

  475. Matthew has joined

  476. Rixon 👁🗨 has joined

  477. uhoreg has joined

  478. homebeach has joined

  479. Steve Kille has left

  480. ti_gj06 has left

  481. wgreenhouse has left

  482. Steve Kille has joined

  483. Steve Kille has left

  484. homebeach has left

  485. Matthew has left

  486. Rixon 👁🗨 has left

  487. uhoreg has left

  488. Half-Shot has left

  489. Half-Shot has joined

  490. Matthew has joined

  491. Rixon 👁🗨 has joined

  492. uhoreg has joined

  493. homebeach has joined

  494. Steve Kille has joined

  495. wgreenhouse has joined

  496. intosi has left

  497. intosi has joined

  498. Steve Kille has left

  499. Calvin has joined

  500. floretta has joined

  501. intosi has left

  502. intosi has joined

  503. ti_gj06 has joined

  504. Calvin has left

  505. dwd has left

  506. millesimus has joined

  507. adiaholic has left

  508. adiaholic has joined

  509. marc0s has left

  510. marc0s has joined

  511. neshtaxmpp has left

  512. neshtaxmpp has joined

  513. u70jfzo5eyeb468b9o has left

  514. u70jfzo5eyeb468b9o has joined

  515. adiaholic has left

  516. neshtaxmpp has left

  517. neshtaxmpp has joined

  518. Calvin has joined

  519. adiaholic has joined

  520. arcxi has left

  521. pasdesushi has left

  522. pasdesushi has joined

  523. millesimus has left

  524. arcxi has joined

  525. Daniel has left

  526. adiaholic has left

  527. Daniel has joined

  528. adiaholic has joined

  529. huhn has joined

  530. robertooo has joined

  531. L29Ah has left

  532. phryk has left

  533. antranigv has left

  534. floretta has left

  535. floretta has joined

  536. huhn has left

  537. marc0s has left

  538. djorz has joined

  539. marc0s has joined

  540. djorz has left

  541. harry837374884 has left

  542. harry837374884 has joined

  543. L29Ah has joined

  544. adiaholic has left

  545. adiaholic has joined

  546. L29Ah has left

  547. moparisthebest

    flow: with the additional wrinkle of SNI

  548. restive_monk has left

  549. flow

    Isn't SNI deprecated in favor of ALPN or so?

  550. flow

    but in any case, SNI or ALPN, I don't see where the problem is?

  551. moparisthebest

    What web server let's you configure the domain "evil.com" to be served when you send "example.org" in sni ?

  552. moparisthebest

    No, both are used

  553. flow

    so client wants to connecto to example.org, via some opaque mechanisms, he is told to connecto to foo.hosting.org via websocket

  554. flow

    so without SNI/ALPN je would just check that foo.hosting.org presents a valid cert for example.org (assuming no DNSSEC was involed in the endpoint discovery)

  555. marc0s has left

  556. flow

    so without SNI/ALPN he would just check that foo.hosting.org presents a valid cert for example.org (assuming no DNSSEC was involed in the endpoint discovery)

  557. marc0s has joined

  558. marc0s has left

  559. marc0s has joined

  560. flow

    I don't remeber the details of SNI/ALPN, but isn't it like the client requests to talk to example.org when connectiong to foo.hosting.org? and the server at foo.hosting.org tries to present the correct cert with that information send by the client?

  561. moparisthebest

    Right, but he has to request the right cert with sni, it's basically "give me the certificate valid for domain X"

  562. moparisthebest

    Which if we pick the secure way, there is no webserver in the world that implements that

  563. marc0s has left

  564. marc0s has joined

  565. flow

    ok, but that's a common theme that most TLS thingies that aren't used by HTTP are not widely available in libraries

  566. Guus

    Doesn't alpn negotiate a protocol to be used over the encrypted connection, while SNI defines a target?

  567. Zash


  568. Zash

    You use both today

  569. Zash

    Congratulations on giving OpenSSL responsibility of virtualhost and application dispatching

  570. MattJ

    moparisthebest, FWIW this is an issue I've known about for a long time, and I thought it was just listed in the security considerations

  571. L29Ah has joined

  572. millesimus has joined

  573. MattJ

    I thought there had been previous discussion about it, but I can only find a lonely post from 2011 on the standards list, so... I don't know

  574. flow

    the "issue" here is that websocket delegation is problemeatic because websocket servers are likely unable to hand out the correct certificate?

  575. Zash

    What libraries let you connect to https://xmpp.example.com/bosh and expect a certificate for 'example.net' ?

  576. Andrzej has left

  577. Andrzej has joined

  578. moparisthebest

    the libraries aren't as much of an issue as the servers, what server lets you host https://xmpp.example.com/bosh providing a certificate for example.net via SNI ? I'm fairly confident the answer is "none"

  579. Zash

    Wasn't this one of the things preventing proper SRV support in Thunderbird? NSS just couldn't have a different identity

  580. moparisthebest

    we can handwave and put in some security considerations telling people to do what we know 0 servers are capable of but... :'(

  581. moparisthebest

    sending a different name in SNI and Host: has a name, it's called domain-fronting, and apparantly XMPP invented it first :)

  582. Zash

    One name in SNI, a different name in Host:, a third name in <stream to=...>

  583. moparisthebest

    (also google+amazon ban it from being used on their infrastructure, so anyone in AWS for instance)

  584. kurisu has left

  585. moparisthebest

    so a related but different question, when you get XEP-0368 records over DNSSEC and can therefore allow *either of two* domains in the cert, which single domain do you send in SNI? :/

  586. Zash

    and if you send SNI: A, do you allow <stream to=B> ?

  587. moparisthebest

    not specified !

  588. Zash

    moparisthebest, isn't that mentioned in DANE or DNA or somesuch?

  589. Wojtek has left

  590. Wojtek has joined

  591. moparisthebest

    hmm, will see

  592. Zash

    `SNI: xmpp.example.com._or_.example.com` :evil:

  593. վարյա has left

  594. վարյա has joined

  595. moparisthebest

    oh, one more thing about websocket, *if* we say send "example.org" in SNI instead of "evil.com", that means you have to have *different* websocket endpoints for DNS advertisement vs host-meta, because a web client certainly can't do that

  596. Zash

    Can't we just go full DANE, with raw public keys instead of certificates?

  597. moparisthebest

    Zash, please !!!!

  598. moparisthebest

    that would solve all problems forever

  599. flow

    that's crazy talk!

  600. antranigv has joined

  601. adiaholic has left

  602. ti_gj06 has left

  603. adiaholic has joined

  604. moparisthebest

    anyway if someone wants to check if you can MITM gajim with a bad _xmppconnect record pointing to the wrong cert before I get to it let me know :) my guess is you can

  605. Zash


  606. pasdesushi has left

  607. restive_monk has joined

  608. Zash

    but then, BOSH is specified as a proxy which in turn connects to the actual XMPP server, so you'd authenticate the proxy...?

  609. L29Ah has left

  610. վարյա has left

  611. վարյա has joined

  612. վարյա has left

  613. վարյա has joined

  614. moparisthebest

    yea I've been focusing on websocket but bosh has the same problem(s)

  615. Zash

    oh right, ws has an rfc

  616. Andrzej has left

  617. moparisthebest

    the RFC get around this by not specifying the DNS method, other than "look at XEP-0156"

  618. Zash

    > but the identity to be authenticated is the connection endpoint address instead of the XMPP service domain https://www.rfc-editor.org/rfc/rfc7395.html#section-6

  619. Guus

    utterly off-topic, but does someone know of a nice DIFF tool (maybe as a website) that is useful to compare two very long lines?

  620. Zash

    RIP the DNS method (unless DNSSEC) then?

  621. restive_monk has left

  622. Zash

    Guus, `wdiff` ?

  623. moparisthebest

    *because*: > delegation from the XMPP service domain to the connection endpoint address (if any) is accomplished via the discovery method described in Section 4. which only specifies host-meta and is secure delegation when https is used

  624. pasdesushi has joined

  625. moparisthebest

    yes, I unfortunately think the only answer is "_xmppconnect is insecure and cannot be used unless DNSSEC"

  626. moparisthebest

    "or the host happens to have a single certificate and ignores SNI in which case go for it"

  627. Neustradamus

    Guus: http://www.aptest.com/standards/htmldiff/htmldiff.pl?oldfile=https://xmpp.org/extensions/attic/xep-0384-0.3.0.html&newfile=https://xmpp.org/extensions/attic/xep-0384-0.8.3.html

  628. Neustradamus

    But there are missing XEP-XXXX versions on xmpp.org

  629. adiaholic has left

  630. adiaholic has joined

  631. goffi has joined

  632. Neustradamus

    Guus: Example which works, here: http://www.aptest.com/standards/htmldiff/htmldiff.pl?oldfile=https://xmpp.org/extensions/attic/xep-0384-0.3.0.html&newfile=https://xmpp.org/extensions/attic/xep-0384-0.4.0.html

  633. restive_monk has joined

  634. papatutuwawa has joined

  635. adiaholic has left

  636. atomicwatch has left

  637. Neustradamus

    After several recalls, to have the following, I have done a ticket here about missing XEP-XXXX versions: https://github.com/xsf/xep-attic/issues/3 :) About the Diff tool: https://github.com/xsf/xmpp.org/issues/412, originally posted on the very old-dead tracker.xmpp.org JIRA issue tracker, I think 10yo.

  638. Andrzej has joined

  639. marc0s has left

  640. marc0s has joined

  641. Guus

    Thanks Zash. Neustradamus, I have no clue what missing XEPs have to do with my request. It feels to me that you're trying to re-purpose my question to push forward your own agenda - exactly that what I asked you to stop doing.

  642. adiaholic has joined

  643. Neustradamus

    Guus: The original is the diff website :) You must to compare XEP versions, and by extension, I speak about it

  644. Guus

    I didn't ask about comparing XEP versions at all.

  645. Steve Kille has joined

  646. Neustradamus

    You can compare RFCs, or all others too, it is very easy, I use often for many years.

  647. Guus

    That's nice. It is not what I asked for.

  648. Kev

    Guus: Sometimes I like a glass of water.

  649. Guus

    I'm going to get one myself...

  650. Zash


  651. moparisthebest

    other than gajim and pidgin, anyone aware of other clients using _xmppconnect ?

  652. moparisthebest

    maybe I'll ask in jdev...

  653. ti_gj06 has joined

  654. me9 has joined

  655. atomicwatch has joined

  656. վարյա has left

  657. wladmis has left

  658. L29Ah has joined

  659. Andrzej has left

  660. wladmis has joined

  661. L29Ah has left

  662. huhn has joined

  663. Andrzej has joined

  664. robertooo has left

  665. Steve Kille has left

  666. floretta has left

  667. neshtaxmpp has left

  668. neshtaxmpp has joined

  669. Steve Kille has joined

  670. harry837374884 has left

  671. L29Ah has joined

  672. harry837374884 has joined

  673. atomicwatch has left

  674. Andrzej has left

  675. wladmis has left

  676. Andrzej has joined

  677. wladmis has joined

  678. wladmis has left

  679. floretta has joined

  680. wladmis has joined

  681. robertooo has joined

  682. antranigv has left

  683. Daniel

    Tbh I was never really sure why we even have the DNS method in the first place. From a web client perspective it always seemed more natural to just do it over http

  684. moparisthebest

    and if you have a client capable of doing DNS + TLS, well then it can also do https ?

  685. Zash

    There are other things than web clients

  686. MattJ

    Which of those things can do DNSSEC but not HTTPS?

  687. MattJ

    (oh, and you need HTTPS for BOSH anyway, so... it's pretty much certain you support it)

  688. moparisthebest

    nothing can do DNS+TLS and *not* HTTPS, since that is just DNS+TLS

  689. Daniel

    > (oh, and you need HTTPS for BOSH anyway, so... it's pretty much certain you support it) This

  690. L29Ah has left

  691. moparisthebest

    so I'm inclined to put a PR @ '156 to just remove the DNS method, with a note marking it existed, but was impossible to use securely

  692. Zash

    So why was it TXT only in the beginning?

  693. Zash

    Who has a time machine to go back to 2005 and ask?

  694. MattJ

    IIRC it also had a fallback SRV alternative originally?

  695. L29Ah has joined

  696. Daniel

    > so I'm inclined to put a PR @ '156 to just remove the DNS method, with a note marking it existed, but was impossible to use securely Well DNSSEC could become a thing one day. You know right after we roll out ipv6

  697. Daniel

    But yes I'm in favor of removing it

  698. MattJ

    So it was probably not expected to be used solely by web clients, and also CORS and such didn't exist at that point (flXHR was still cool)

  699. moparisthebest

    yes, it's *only* possible to use securely with DNSSEC, which I'm a big fan of, but that pesky "in practice" thing

  700. Zash

    When was XHR even invented?

  701. MattJ

    I think reducing the number of mechanisms in 156 is beneficial anyway

  702. flow

    moparisthebest, removing a method completely, just because the ecosystem of implementations does not support it, seems a bit harsh. But given that it has a security implication, and that we suspect that there are already vulnerable implementations out there, it sure would be a good idea to mention that in the XEP

  703. moparisthebest

    well author-wise I think we could probably reach 2 of them

  704. MattJ

    It's already too much that it supports both XML and JSON encodings

  705. flow

    Dunno, I see the point in support both XML and JSON

  706. Zash

    Daniel, maybe if you make Conversations stop preferring IPv4 it won't look like nobody uses IPv6

  707. moparisthebest

    MattJ, I was thinking that too but thought it might be too much :)

  708. harry837374884 has left

  709. MattJ

    Currently we have a random selection of (DNS, JSON, XML) for every XMPP service

  710. MattJ

    Some do all, some do some, some do none

  711. MattJ

    So it's not like a client can just implement one method and just work

  712. flow

    <strike>Dunno, I see the point in support both XML and JSON</strike> or maybe not

  713. MattJ

    and it's not like an operator can only advertise via one method and expect it to just work

  714. MattJ

    Interoperability is decreased by having so many options, with little to be gained

  715. moparisthebest

    let's recap, to make an XMPP connection, you must: 1. lookup 2 sets of SRV records 2. lookup 1 TXT record with DNSSEC 3. Grab+parse both a JSON and XML file over HTTPS 4. Grab+parse a JSON file over HTTPS for POSH 5. look up TLSA records over DNSSEC

  716. moparisthebest

    I might have missed something...

  717. MattJ

    Very possible :)

  718. Zash

    You forgot the other JSON file for POSH

  719. moparisthebest

    oh right, POSH supports 2 different types of redirects right ?

  720. Zash


  721. moparisthebest

    http redirects and also "url in the json file" redirects

  722. atomicwatch has joined

  723. moparisthebest

    and therefore 2 layers of TTL

  724. moparisthebest


  725. վարյա has joined

  726. Zash

    Wait, did you edit in POSH or were there too many lines for me to see the POSH in?

  727. Zash

    Hey let's throw DANE in there

  728. moparisthebest

    no edit, I swear on the XML

  729. moparisthebest

    I mentioned dane too, TLSA records :)

  730. Zash

    moparisthebest: Weren't you the one who pushed for the extra set of SRV records???!

  731. moparisthebest

    and I'm about to push for another !

  732. Zash


  733. moparisthebest

    it's highly tempting to push for 1 connection discovery method that replaces all of these, but that's clearly XKCD territory

  734. Daniel

    oh til that there is mod_posh for prosody

  735. moparisthebest


  736. Zash

    and I think there's aproximately 1 server in the whole universe that it can be used with

  737. Zash

    and I think there's aproximately 1 server in the whole universe that it can be used to authenticate

  738. Zash

    99% of POSH deployments only have the client file

  739. Daniel

    there is a server file?

  740. floretta has left

  741. Daniel

    shocked emoji

  742. moparisthebest

    I've got c2s and s2s working over both QUIC and WebSocket by the way, that's what brought all this up

  743. moparisthebest

    I really don't want 2 new methods to discover each but eh, it's hairy

  744. moparisthebest

    could always resurrect https://xmpp.org/extensions/inbox/hacx.html as the One True Way (tm)

  745. Zash

    then add 3 more

  746. harry837374884 has joined

  747. MattJ

    moparisthebest, maybe for QUIC require advertisement through SVCB (wait, bear with me!) - and state that if SVCB records are present, don't do anything else??

  748. atomicwatch has left

  749. Wojtek has left

  750. Zash

    what if your enterprise/university firewall block UDP port 443?

  751. moparisthebest

    MattJ, yep, and SVCB could also advertise at least starttls and direct tls too

  752. moparisthebest

    *maybe* websocket

  753. MattJ


  754. Wojtek has joined

  755. MattJ

    So a SVCB spec that combines as many of the existing steps as possible, and we keep '156/HTTPS for web stuff

  756. Wojtek has left

  757. moparisthebest

    yea I think that's the way to go for sure, downsides are SVCB is so new support lags behind, upsides are https needs it so that'll accelerate adoption :'(

  758. Wojtek has joined

  759. Zash

    https has its own variant, HTTPS

  760. Zash

    As a cynic I have to bet that HTTPS will become widely supported very quickly, while nothing will support SVCB

  761. homebeach has left

  762. Rixon 👁🗨 has left

  763. uhoreg has left

  764. Matthew has left

  765. Half-Shot has left

  766. Half-Shot has joined

  767. Matthew has joined

  768. Rixon 👁🗨 has joined

  769. uhoreg has joined

  770. homebeach has joined

  771. MattJ

    Zash, so obviously everything will only suppo... right

  772. moparisthebest

    it's been too long since I looked at those, need to refresh

  773. moparisthebest

    my current impl is using _xmppq._udp records like '368 but I really really don't want to spec that out in a XEP if it can be avoided at all

  774. djorz has joined

  775. Zash

    MattJ, but that's all right because you can get those records from Google / Cloudflare with DNS over HTTPS!!!111!!!

  776. Zash

    HTTPS all the way down 😭️

  777. Zash

    DNS is HTTPS, TCP is replaced by HTTPS, will the come for IP next?

  778. moparisthebest

    also WebSocket is not coming to http3, it's being replaced by the new hotness, WebTransport

  779. moparisthebest

    so obviously we'll need a XMPP-over-WebTransport also

  780. moparisthebest

    also seen rumblings that WebTransport will replace WebRTC so that'll also be fun

  781. Zash squints at 'Subject: Protocol Action: 'Bootstrapping WebSockets with HTTP/3' to Proposed Standard'

  782. atomicwatch has joined

  783. Andrzej has left

  784. Andrzej has joined

  785. Neustradamus has left

  786. Neustradamus has joined

  787. moparisthebest

    https://w3c.github.io/webtransport/ https://datatracker.ietf.org/doc/html/draft-ietf-webtrans-http3/

  788. Zash


  789. Neustradamus has left

  790. me9 has left

  791. marc0s has left

  792. marc0s has joined

  793. papatutuwawa has left

  794. Neustradamus has joined

  795. վարյա has left

  796. վարյա has joined

  797. Andrzej has left

  798. wladmis has left

  799. wladmis has joined

  800. wladmis has left

  801. wladmis has joined

  802. atomicwatch has left

  803. wladmis has left

  804. wladmis has joined

  805. Andrzej has joined

  806. wladmis has left

  807. atomicwatch has joined

  808. wladmis has joined

  809. floretta has joined

  810. Andrzej has left

  811. Andrzej has joined

  812. ti_gj06 has left

  813. ti_gj06 has joined

  814. wladmis has left

  815. Calvin has left

  816. jgart has joined

  817. adiaholic has left

  818. lskdjf has left

  819. lskdjf has joined

  820. intosi has left

  821. intosi has joined

  822. BASSGOD has left

  823. adiaholic has joined

  824. adiaholic has left

  825. adiaholic has joined

  826. djorz has left

  827. lskdjf has left

  828. Wojtek has left

  829. Wojtek has joined

  830. antranigv has joined

  831. kyemxden has left

  832. kyemxden has joined

  833. floretta has left

  834. wladmis has joined

  835. floretta has joined

  836. me9 has joined

  837. BASSGOD has joined

  838. andrey.g has joined

  839. bean has joined

  840. papatutuwawa has joined

  841. chronosx88 has left

  842. chronosx88 has joined

  843. djorz has joined

  844. chronosx88 has left

  845. chronosx88 has joined

  846. adiaholic has left

  847. norkki has joined

  848. marc0s has left

  849. marc0s has joined

  850. marc0s has left

  851. marc0s has joined

  852. intosi has left

  853. intosi has joined

  854. lskdjf has joined

  855. marc0s has left

  856. marc0s has joined

  857. ti_gj06 has left

  858. bung has joined

  859. intosi has left

  860. intosi has joined

  861. BASSGOD has left

  862. me9 has left

  863. chronosx88 has left

  864. chronosx88 has joined

  865. marc0s has left

  866. marc0s has joined

  867. ti_gj06 has joined

  868. marc0s has left

  869. marc0s has joined

  870. dwd has joined

  871. millesimus has left

  872. millesimus has joined

  873. antranigv has left

  874. marc0s has left

  875. marc0s has joined

  876. arc has joined

  877. lskdjf has left

  878. lskdjf has joined

  879. restive_monk has left

  880. arc has left

  881. arc has joined

  882. intosi has left

  883. Tobias has left

  884. Tobias has joined

  885. intosi has joined

  886. wladmis has left

  887. Guus has left

  888. antranigv has joined

  889. ti_gj06 has left

  890. robertooo has left

  891. rafasaurus has joined

  892. robertooo has joined

  893. wladmis has joined

  894. norkki has left

  895. gooya has left

  896. gooya has joined

  897. BASSGOD has joined

  898. restive_monk has joined

  899. lskdjf has left

  900. lskdjf has joined

  901. dwd has left

  902. intosi has left

  903. intosi has joined

  904. xnamed has left

  905. restive_monk has left

  906. wladmis has left

  907. lskdjf has left

  908. lskdjf has joined

  909. wladmis has joined

  910. wladmis has left

  911. Link Mauve has left

  912. wladmis has joined

  913. uhoreg has left

  914. homebeach has left

  915. Rixon 👁🗨 has left

  916. Matthew has left

  917. Half-Shot has left

  918. Half-Shot has joined

  919. Matthew has joined

  920. Rixon 👁🗨 has joined

  921. uhoreg has joined

  922. homebeach has joined

  923. wladmis has left

  924. wladmis has joined

  925. wladmis has left

  926. Link Mauve has joined

  927. wladmis has joined

  928. lskdjf has left

  929. lskdjf has joined

  930. Wojtek has left

  931. floretta has left

  932. floretta has joined

  933. intosi has left

  934. lskdjf has left

  935. lskdjf has joined

  936. xnamed has joined

  937. pasdesushi has left

  938. millesimus has left

  939. lskdjf has left

  940. lskdjf has joined

  941. marc0s has left

  942. marc0s has joined

  943. lskdjf has left

  944. lskdjf has joined

  945. pasdesushi has joined

  946. վարյա has left

  947. millesimus has joined

  948. atomicwatch has left

  949. bean has left

  950. lskdjf has left

  951. lskdjf has joined

  952. lskdjf has left

  953. lskdjf has joined

  954. lskdjf has left

  955. lskdjf has joined

  956. lskdjf has left

  957. lskdjf has joined

  958. lskdjf has left

  959. lskdjf has joined

  960. lskdjf has left

  961. lskdjf has joined

  962. lskdjf has left

  963. lskdjf has joined

  964. lskdjf has left

  965. lskdjf has joined

  966. lskdjf has left

  967. lskdjf has joined

  968. lskdjf has left

  969. lskdjf has joined

  970. վարյա has joined

  971. lskdjf has left

  972. lskdjf has joined

  973. marc0s has left

  974. marc0s has joined

  975. lskdjf has left

  976. lskdjf has joined

  977. Yagiza has left

  978. lskdjf has left

  979. lskdjf has joined

  980. karoshi has left

  981. atomicwatch has joined

  982. djorz has left

  983. me9 has joined

  984. djorz has joined

  985. msavoritias has left

  986. djorz has left

  987. djorz has joined

  988. lskdjf has left

  989. lskdjf has joined

  990. Andrzej has left

  991. Andrzej has joined

  992. argentum has joined

  993. lskdjf has left

  994. lskdjf has joined

  995. intosi has joined

  996. Link Mauve has left

  997. Link Mauve has joined

  998. wgreenhouse has left

  999. Andrzej has left

  1000. wgreenhouse has joined

  1001. intosi has left

  1002. wgreenhouse has left

  1003. Mikaela has left

  1004. me9 has left

  1005. Andrzej has joined

  1006. ti_gj06 has joined

  1007. norkki has joined

  1008. norkki has left

  1009. վարյա has left

  1010. վարյա has joined

  1011. lskdjf has left

  1012. lskdjf has joined

  1013. lskdjf has left

  1014. lskdjf has joined

  1015. lskdjf has left

  1016. lskdjf has joined

  1017. marc0s has left

  1018. marc0s has joined

  1019. marc0s has left

  1020. marc0s has joined

  1021. wgreenhouse has joined

  1022. marc0s has left

  1023. marc0s has joined

  1024. Andrzej has left

  1025. intosi has joined

  1026. Tobias has left

  1027. lskdjf has left

  1028. lskdjf has joined

  1029. Calvin has joined

  1030. karoshi has joined

  1031. intosi has left

  1032. վարյա has left

  1033. lskdjf has left

  1034. lskdjf has joined

  1035. lskdjf has left

  1036. lskdjf has joined

  1037. Calvin has left

  1038. wgreenhouse has left

  1039. Matthew has left

  1040. Rixon 👁🗨 has left

  1041. uhoreg has left

  1042. homebeach has left

  1043. Half-Shot has left

  1044. Half-Shot has joined

  1045. Matthew has joined

  1046. Rixon 👁🗨 has joined

  1047. uhoreg has joined

  1048. homebeach has joined

  1049. Andrzej has joined

  1050. wgreenhouse has joined

  1051. վարյա has joined

  1052. lskdjf has left

  1053. lskdjf has joined

  1054. wgreenhouse has left

  1055. neshtaxmpp has left

  1056. neshtaxmpp has joined

  1057. marc0s has left

  1058. marc0s has joined

  1059. floretta has left

  1060. floretta has joined

  1061. wgreenhouse has joined

  1062. Menel has left

  1063. ti_gj06 has left

  1064. atomicwatch has left

  1065. adiaholic has joined

  1066. phryk has joined

  1067. gooya has left

  1068. gooya has joined

  1069. moparisthebest

    update about _xmppconnect TXT record, a lot more things than I suspected use this, and so far, all of them are vulnerable to trivial MITM by DNS spoofing

  1070. papatutuwawa has left

  1071. Zash

    modulo how trivial DNS spoofing really is

  1072. moparisthebest

    pretty trivial no ?

  1073. moparisthebest

    but https://datatracker.ietf.org/doc/html/rfc7395#section-4 defines a single way to grab an XML host-meta file, so I think I'll propose littering '156 with warnings and obsoleting it, I'll also create a summary on standards and will be filling 9000 github issues with links to it for the vulnerable projects

  1074. Alex has left

  1075. tykayn has left

  1076. millesimus has left

  1077. Andrzej has left

  1078. jcbrand has left

  1079. intosi has joined

  1080. lskdjf has left

  1081. lskdjf has joined

  1082. floretta has left

  1083. marc0s has left

  1084. marc0s has joined

  1085. intosi has left

  1086. gooya has left

  1087. intosi has joined

  1088. gooya has joined

  1089. goffi has left

  1090. ponymontana has joined

  1091. emus has left

  1092. floretta has joined

  1093. lskdjf has left

  1094. qwestion has joined

  1095. Seve has left

  1096. Seve has joined

  1097. ponymontana has left

  1098. qwestion has left

  1099. ponymontana has joined

  1100. ponymontana has left

  1101. qwestion has joined

  1102. intosi has left

  1103. huhn has left

  1104. intosi has joined

  1105. arc has left

  1106. andrey.g has left

  1107. վարյա has left

  1108. վարյա has joined

  1109. pasdesushi has left

  1110. debacle has left

  1111. debacle has joined

  1112. intosi has left

  1113. intosi has joined

  1114. wurstsalat has left

  1115. moparisthebest

    well whenever the mailing list gets back to me I'll respond with: https://github.com/processone/docs.ejabberd.im/issues/113 https://github.com/JustOxlamon/TwoRatChat/issues/2 https://github.com/poVoq/converse_wp/issues/2 https://github.com/BombusMod/BombusMod/issues/130 https://github.com/hesa2020/Twitch-To-League-by-Hesa/issues/1 https://github.com/xmppjs/xmpp.js/issues/933 https://github.com/tigase/tigase-http-api/issues/8 https://github.com/tigase/tigase-extras/issues/3

  1116. bung has left

  1117. floretta has left

  1118. djorz has left

  1119. floretta has joined

  1120. karoshi has left