XSF Discussion - 2022-02-09


  1. djorz has left
  2. emus has left
  3. intosi has left
  4. intosi has joined
  5. adiaholic has joined
  6. adiaholic has left
  7. restive_monk has joined
  8. wladmis has left
  9. wladmis has joined
  10. wladmis has left
  11. floretta has left
  12. wladmis has joined
  13. millesimus has left
  14. wladmis has left
  15. intosi has left
  16. wladmis has joined
  17. intosi has joined
  18. kyemxden has left
  19. kyemxden has joined
  20. millesimus has joined
  21. restive_monk has left
  22. վարյա has left
  23. վարյա has joined
  24. floretta has joined
  25. Calvin has left
  26. rq77 has joined
  27. restive_monk has joined
  28. BASSGOD has left
  29. wladmis has left
  30. wladmis has joined
  31. Andrzej has joined
  32. karoshi has left
  33. wurstsalat has left
  34. rq77 has left
  35. Seve has left
  36. BASSGOD has joined
  37. tykayn has left
  38. intosi has left
  39. intosi has joined
  40. intosi has left
  41. Andrzej has left
  42. intosi has joined
  43. qwestion has joined
  44. floretta has left
  45. karoshi has joined
  46. BASSGOD has left
  47. վարյա has left
  48. BASSGOD has joined
  49. վարյա has joined
  50. adiaholic has joined
  51. qwestion has left
  52. debacle has left
  53. qwestion has joined
  54. neshtaxmpp has left
  55. lskdjf has left
  56. intosi has left
  57. adiaholic has left
  58. neshtaxmpp has joined
  59. intosi has joined
  60. Calvin has joined
  61. Matthew has left
  62. Rixon 👁🗨 has left
  63. homebeach has left
  64. uhoreg has left
  65. Half-Shot has left
  66. Half-Shot has joined
  67. Matthew has joined
  68. Rixon 👁🗨 has joined
  69. uhoreg has joined
  70. homebeach has joined
  71. adiaholic has joined
  72. floretta has joined
  73. adiaholic has left
  74. intosi has left
  75. intosi has joined
  76. karoshi has left
  77. xnamed has left
  78. wladmis has left
  79. wladmis has joined
  80. intosi has left
  81. վարյա has left
  82. վարյա has joined
  83. intosi has joined
  84. homebeach has left
  85. Rixon 👁🗨 has left
  86. uhoreg has left
  87. Matthew has left
  88. Half-Shot has left
  89. Half-Shot has joined
  90. Matthew has joined
  91. Rixon 👁🗨 has joined
  92. uhoreg has joined
  93. homebeach has joined
  94. BASSGOD has left
  95. adiaholic has joined
  96. neshtaxmpp has left
  97. floretta has left
  98. Steve Kille has left
  99. Kev has left
  100. Steve Kille has joined
  101. Kev has joined
  102. BASSGOD has joined
  103. karoshi has joined
  104. neshtaxmpp has joined
  105. floretta has joined
  106. intosi has left
  107. millesimus has left
  108. millesimus has joined
  109. BASSGOD has left
  110. intosi has joined
  111. Andrzej has joined
  112. BASSGOD has joined
  113. Andrzej has left
  114. intosi has left
  115. վարյա has left
  116. վարյա has joined
  117. millesimus has left
  118. Alastair Hogge has left
  119. Alastair Hogge has joined
  120. Titi has left
  121. BASSGOD has left
  122. Titi has joined
  123. kyemxden has left
  124. kyemxden has joined
  125. BASSGOD has joined
  126. rafasaurus has left
  127. millesimus has joined
  128. marc0s has left
  129. marc0s has joined
  130. Andrzej has joined
  131. rafasaurus has joined
  132. Andrzej has left
  133. intosi has joined
  134. intosi has left
  135. Yagiza has joined
  136. daags has joined
  137. Thilo Molitor has left
  138. Thilo Molitor has joined
  139. rafasaurus has left
  140. stp has joined
  141. qy has left
  142. qy has joined
  143. adiaholic has left
  144. adiaholic has joined
  145. intosi has joined
  146. chronosx88 has joined
  147. moparisthebest am I missing it somewhere or does the DNS method here have a giant security hole https://xmpp.org/extensions/xep-0156.html ?
  148. nyco has left
  149. APach has left
  150. moparisthebest you want to connect to example.org , _xmppconnect.example.org tells you to connect to wss://evil.com/xmpp , is that ok?
  151. moparisthebest if you grab host-meta from https://example.org/ that doesn't have the same problem, also if you have DNSSEC on example.org you have no issue, but it doesn't mention either
  152. Alex has left
  153. floretta has left
  154. Calvin has left
  155. chronosx88 has left
  156. chronosx88 has joined
  157. վարյա has left
  158. վարյա has joined
  159. intosi has left
  160. floretta has joined
  161. pasdesushi has joined
  162. msavoritias has joined
  163. rafasaurus has joined
  164. վարյա has left
  165. վարյա has joined
  166. marc0s has left
  167. marc0s has joined
  168. stp has left
  169. adiaholic has left
  170. chronosx88 has left
  171. chronosx88 has joined
  172. karoshi has left
  173. restive_monk has left
  174. adiaholic has joined
  175. intosi has joined
  176. qwestion has left
  177. վարյա has left
  178. վարյա has joined
  179. atomicwatch has left
  180. վարյա has left
  181. վարյա has joined
  182. Tobias has joined
  183. mdosch Doesn't evil.com still have to present a cert valid for example.org like with normal SRV records?
  184. atomicwatch has joined
  185. Seve has joined
  186. pasdesushi has left
  187. millesimus has left
  188. restive_monk has joined
  189. intosi has left
  190. վարյա has left
  191. վարյա has joined
  192. adiaholic has left
  193. gooya has joined
  194. adiaholic has joined
  195. pasdesushi has joined
  196. jcbrand has joined
  197. moparisthebest that would be trustworthy, but XEP-0156 doesn't mention that as far as I see ?
  198. moparisthebest and which domain do you send in SNI ?
  199. restive_monk has left
  200. wladmis has left
  201. restive_monk has joined
  202. me9 has joined
  203. serge90 has left
  204. restive_monk has left
  205. restive_monk has joined
  206. atomicwatch has left
  207. restive_monk has left
  208. Mikaela has joined
  209. moparisthebest I'm also unsure if XEP-0368 is correct in relation to SNI, if example.org 's SRV DNS response is DNSSEC signed and it says xmpp.example.org is the target, which name do you include in SNI ?
  210. intosi has joined
  211. restive_monk has joined
  212. Menel has joined
  213. norkki has joined
  214. norkki has left
  215. Paganini has left
  216. dwd has joined
  217. վարյա has left
  218. վարյա has joined
  219. atomicwatch has joined
  220. ti_gj06 has joined
  221. wurstsalat has joined
  222. rafasaurus has left
  223. restive_monk has left
  224. dwd has left
  225. intosi has left
  226. Andrzej has joined
  227. restive_monk has joined
  228. me9 has left
  229. rafasaurus has joined
  230. վարյա has left
  231. harry837374884 has joined
  232. adiaholic has left
  233. kurisu has left
  234. kurisu has joined
  235. adiaholic has joined
  236. jgart has left
  237. Andrzej has left
  238. Steve Kille has left
  239. Steve Kille has joined
  240. karoshi has joined
  241. Steve Kille has left
  242. marc0s has left
  243. marc0s has joined
  244. BASSGOD has left
  245. adiaholic has left
  246. adiaholic has joined
  247. Steve Kille has joined
  248. matkor has left
  249. guus.der.kinderen has left
  250. guus.der.kinderen has joined
  251. marc0s has left
  252. marc0s has joined
  253. Titi has left
  254. marc0s has left
  255. marc0s has joined
  256. djorz has joined
  257. emus has joined
  258. BASSGOD has joined
  259. marc0s has left
  260. marc0s has joined
  261. marc0s has left
  262. marc0s has joined
  263. floretta has left
  264. intosi has joined
  265. marc0s has left
  266. marc0s has joined
  267. matkor has joined
  268. marc0s has left
  269. marc0s has joined
  270. adiaholic has left
  271. marc0s has left
  272. marc0s has joined
  273. marc0s has left
  274. marc0s has joined
  275. floretta has joined
  276. djorz has left
  277. վարյա has joined
  278. intosi has left
  279. u70jfzo5eyeb468b9o has joined
  280. harry837374884 has left
  281. floretta has left
  282. վարյա has left
  283. վարյա has joined
  284. adiaholic has joined
  285. mdosch Is this the stuff in RFC7712?
  286. intosi has joined
  287. flow moparisthebest, it's the same situation with aunauthenticated DNS SRV RRs, isn't it?
  288. flow moparisthebest, it's the same situation with unauthenticated DNS SRV RRs, isn't it?
  289. flow so you perform the authentication of the XMPP service the same way as you would if it was an unauthenticated DNS SRV RR that pointed you to wss://evil.com/xmpp
  290. flow that is, check if the presented x509 certificate authenticates example.org
  291. Menel The only question is: do the available web clients do it correctly...
  292. ti_gj06 has left
  293. Titi has joined
  294. harry837374884 has joined
  295. flow I wouldn't restrict that question to web clients, websockets are used by others too
  296. jonas’ never!
  297. flow That said, we do a terrible job documenting best practices regarding authentication and authorization in XMPP
  298. flow it appears, as moparisthebest already found, that the related information is scattered around multiple places
  299. Alex has joined
  300. BASSGOD has left
  301. Menel If I've time, I'll try to mitm conversejs later this day...
  302. վարյա has left
  303. harry837374884 has left
  304. marc0s has left
  305. marc0s has joined
  306. marc0s has left
  307. marc0s has joined
  308. restive_monk has left
  309. marc0s has left
  310. marc0s has joined
  311. Zash Converse.js doesn't do DNS TXT lookups
  312. marc0s has left
  313. marc0s has joined
  314. Menel Was already doubting if it does, thanks for the info..
  315. andrey.g has joined
  316. marc0s has left
  317. marc0s has joined
  318. վարյա has joined
  319. harry837374884 has joined
  320. Steve Kille has left
  321. ti_gj06 has joined
  322. Steve Kille has joined
  323. marc0s has left
  324. marc0s has joined
  325. Steve Kille has left
  326. Kev has left
  327. floretta has joined
  328. Kev has joined
  329. Kev has left
  330. Kev has joined
  331. marc0s has left
  332. marc0s has joined
  333. restive_monk has joined
  334. Friendly Resident Cynic has left
  335. Friendly Resident Cynic has joined
  336. tykayn has joined
  337. վարյա has left
  338. վարյա has joined
  339. Andrzej has joined
  340. stp has joined
  341. վարյա has left
  342. վարյա has joined
  343. huhn has joined
  344. Mikaela has left
  345. վարյա has left
  346. վարյա has joined
  347. floretta has left
  348. xecks has joined
  349. Andrzej has left
  350. stp has left
  351. harry837374884 has left
  352. harry837374884 has joined
  353. huhn has left
  354. floretta has joined
  355. BASSGOD has joined
  356. stp has joined
  357. վարյա has left
  358. վարյա has joined
  359. marc0s has left
  360. marc0s has joined
  361. Friendly Resident Cynic has left
  362. Friendly Resident Cynic has joined
  363. debacle has joined
  364. stp has left
  365. lskdjf has joined
  366. huhn has joined
  367. stp has joined
  368. andrey.g has left
  369. millesimus has joined
  370. Steve Kille has joined
  371. Wojtek has joined
  372. Steve Kille has left
  373. Steve Kille has joined
  374. millesimus has left
  375. Andrzej has joined
  376. emus Hey Board, if one if you wants to be invited as Org Admin too just let me know
  377. Steve Kille has left
  378. u70jfzo5eyeb468b9o has left
  379. Wojtek has left
  380. Wojtek has joined
  381. Guus has joined
  382. u70jfzo5eyeb468b9o has joined
  383. վարյա has left
  384. Wojtek has left
  385. Wojtek has joined
  386. վարյա has joined
  387. ti_gj06 has left
  388. millesimus has joined
  389. ti_gj06 has joined
  390. millesimus has left
  391. millesimus has joined
  392. antranigv has left
  393. rafasaurus has left
  394. Wojtek has left
  395. Wojtek has joined
  396. adiaholic has left
  397. adiaholic has joined
  398. վարյա has left
  399. neshtaxmpp has left
  400. neshtaxmpp has joined
  401. antranigv has joined
  402. վարյա has joined
  403. argentum has left
  404. floretta has left
  405. adiaholic has left
  406. adiaholic has joined
  407. Rixon 👁🗨 has left
  408. uhoreg has left
  409. homebeach has left
  410. Matthew has left
  411. Half-Shot has left
  412. Half-Shot has joined
  413. Matthew has joined
  414. Rixon 👁🗨 has joined
  415. uhoreg has joined
  416. homebeach has joined
  417. adiaholic has left
  418. adiaholic has joined
  419. restive_monk has left
  420. Steve Kille has joined
  421. pasdesushi has left
  422. harry837374884 has left
  423. harry837374884 has joined
  424. goffi has left
  425. BASSGOD has left
  426. pasdesushi has joined
  427. Rixon 👁🗨 has left
  428. uhoreg has left
  429. homebeach has left
  430. Matthew has left
  431. Half-Shot has left
  432. Half-Shot has joined
  433. Matthew has joined
  434. Rixon 👁🗨 has joined
  435. uhoreg has joined
  436. homebeach has joined
  437. BASSGOD has joined
  438. intosi has left
  439. intosi has joined
  440. wladmis has joined
  441. floretta has joined
  442. restive_monk has joined
  443. pasdesushi has left
  444. millesimus has left
  445. pasdesushi has joined
  446. intosi has left
  447. intosi has joined
  448. adiaholic has left
  449. Steve Kille has left
  450. robertooo has left
  451. adiaholic has joined
  452. xnamed has joined
  453. վարյա has left
  454. վարյա has joined
  455. intosi has left
  456. intosi has joined
  457. Paganini has joined
  458. Mikaela has joined
  459. neshtaxmpp has left
  460. neshtaxmpp has joined
  461. adiaholic has left
  462. floretta has left
  463. Steve Kille has joined
  464. dwd has joined
  465. Steve Kille has left
  466. Steve Kille has joined
  467. adiaholic has joined
  468. huhn has left
  469. homebeach has left
  470. Matthew has left
  471. Rixon 👁🗨 has left
  472. uhoreg has left
  473. Half-Shot has left
  474. Half-Shot has joined
  475. Matthew has joined
  476. Rixon 👁🗨 has joined
  477. uhoreg has joined
  478. homebeach has joined
  479. Steve Kille has left
  480. ti_gj06 has left
  481. wgreenhouse has left
  482. Steve Kille has joined
  483. Steve Kille has left
  484. homebeach has left
  485. Matthew has left
  486. Rixon 👁🗨 has left
  487. uhoreg has left
  488. Half-Shot has left
  489. Half-Shot has joined
  490. Matthew has joined
  491. Rixon 👁🗨 has joined
  492. uhoreg has joined
  493. homebeach has joined
  494. Steve Kille has joined
  495. wgreenhouse has joined
  496. intosi has left
  497. intosi has joined
  498. Steve Kille has left
  499. Calvin has joined
  500. floretta has joined
  501. intosi has left
  502. intosi has joined
  503. ti_gj06 has joined
  504. Calvin has left
  505. dwd has left
  506. millesimus has joined
  507. adiaholic has left
  508. adiaholic has joined
  509. marc0s has left
  510. marc0s has joined
  511. neshtaxmpp has left
  512. neshtaxmpp has joined
  513. u70jfzo5eyeb468b9o has left
  514. u70jfzo5eyeb468b9o has joined
  515. adiaholic has left
  516. neshtaxmpp has left
  517. neshtaxmpp has joined
  518. Calvin has joined
  519. adiaholic has joined
  520. arcxi has left
  521. pasdesushi has left
  522. pasdesushi has joined
  523. millesimus has left
  524. arcxi has joined
  525. Daniel has left
  526. adiaholic has left
  527. Daniel has joined
  528. adiaholic has joined
  529. huhn has joined
  530. robertooo has joined
  531. L29Ah has left
  532. phryk has left
  533. antranigv has left
  534. floretta has left
  535. floretta has joined
  536. huhn has left
  537. marc0s has left
  538. djorz has joined
  539. marc0s has joined
  540. djorz has left
  541. harry837374884 has left
  542. harry837374884 has joined
  543. L29Ah has joined
  544. adiaholic has left
  545. adiaholic has joined
  546. L29Ah has left
  547. moparisthebest flow: with the additional wrinkle of SNI
  548. restive_monk has left
  549. flow Isn't SNI deprecated in favor of ALPN or so?
  550. flow but in any case, SNI or ALPN, I don't see where the problem is?
  551. moparisthebest What web server let's you configure the domain "evil.com" to be served when you send "example.org" in sni ?
  552. moparisthebest No, both are used
  553. flow so client wants to connecto to example.org, via some opaque mechanisms, he is told to connecto to foo.hosting.org via websocket
  554. flow so without SNI/ALPN je would just check that foo.hosting.org presents a valid cert for example.org (assuming no DNSSEC was involed in the endpoint discovery)
  555. marc0s has left
  556. flow so without SNI/ALPN he would just check that foo.hosting.org presents a valid cert for example.org (assuming no DNSSEC was involed in the endpoint discovery)
  557. marc0s has joined
  558. marc0s has left
  559. marc0s has joined
  560. flow I don't remeber the details of SNI/ALPN, but isn't it like the client requests to talk to example.org when connectiong to foo.hosting.org? and the server at foo.hosting.org tries to present the correct cert with that information send by the client?
  561. moparisthebest Right, but he has to request the right cert with sni, it's basically "give me the certificate valid for domain X"
  562. moparisthebest Which if we pick the secure way, there is no webserver in the world that implements that
  563. marc0s has left
  564. marc0s has joined
  565. flow ok, but that's a common theme that most TLS thingies that aren't used by HTTP are not widely available in libraries
  566. Guus Doesn't alpn negotiate a protocol to be used over the encrypted connection, while SNI defines a target?
  567. Zash Yes
  568. Zash You use both today
  569. Zash Congratulations on giving OpenSSL responsibility of virtualhost and application dispatching
  570. MattJ moparisthebest, FWIW this is an issue I've known about for a long time, and I thought it was just listed in the security considerations
  571. L29Ah has joined
  572. millesimus has joined
  573. MattJ I thought there had been previous discussion about it, but I can only find a lonely post from 2011 on the standards list, so... I don't know
  574. flow the "issue" here is that websocket delegation is problemeatic because websocket servers are likely unable to hand out the correct certificate?
  575. Zash What libraries let you connect to https://xmpp.example.com/bosh and expect a certificate for 'example.net' ?
  576. Andrzej has left
  577. Andrzej has joined
  578. moparisthebest the libraries aren't as much of an issue as the servers, what server lets you host https://xmpp.example.com/bosh providing a certificate for example.net via SNI ? I'm fairly confident the answer is "none"
  579. Zash Wasn't this one of the things preventing proper SRV support in Thunderbird? NSS just couldn't have a different identity
  580. moparisthebest we can handwave and put in some security considerations telling people to do what we know 0 servers are capable of but... :'(
  581. moparisthebest sending a different name in SNI and Host: has a name, it's called domain-fronting, and apparantly XMPP invented it first :)
  582. Zash One name in SNI, a different name in Host:, a third name in <stream to=...>
  583. moparisthebest (also google+amazon ban it from being used on their infrastructure, so anyone in AWS for instance)
  584. kurisu has left
  585. moparisthebest so a related but different question, when you get XEP-0368 records over DNSSEC and can therefore allow *either of two* domains in the cert, which single domain do you send in SNI? :/
  586. Zash and if you send SNI: A, do you allow <stream to=B> ?
  587. moparisthebest not specified !
  588. Zash moparisthebest, isn't that mentioned in DANE or DNA or somesuch?
  589. Wojtek has left
  590. Wojtek has joined
  591. moparisthebest hmm, will see
  592. Zash `SNI: xmpp.example.com._or_.example.com` :evil:
  593. վարյա has left
  594. վարյա has joined
  595. moparisthebest oh, one more thing about websocket, *if* we say send "example.org" in SNI instead of "evil.com", that means you have to have *different* websocket endpoints for DNS advertisement vs host-meta, because a web client certainly can't do that
  596. Zash Can't we just go full DANE, with raw public keys instead of certificates?
  597. moparisthebest Zash, please !!!!
  598. moparisthebest that would solve all problems forever
  599. flow that's crazy talk!
  600. antranigv has joined
  601. adiaholic has left
  602. ti_gj06 has left
  603. adiaholic has joined
  604. moparisthebest anyway if someone wants to check if you can MITM gajim with a bad _xmppconnect record pointing to the wrong cert before I get to it let me know :) my guess is you can
  605. Zash badxmpp.eu?
  606. pasdesushi has left
  607. restive_monk has joined
  608. Zash but then, BOSH is specified as a proxy which in turn connects to the actual XMPP server, so you'd authenticate the proxy...?
  609. L29Ah has left
  610. վարյա has left
  611. վարյա has joined
  612. վարյա has left
  613. վարյա has joined
  614. moparisthebest yea I've been focusing on websocket but bosh has the same problem(s)
  615. Zash oh right, ws has an rfc
  616. Andrzej has left
  617. moparisthebest the RFC get around this by not specifying the DNS method, other than "look at XEP-0156"
  618. Zash > but the identity to be authenticated is the connection endpoint address instead of the XMPP service domain https://www.rfc-editor.org/rfc/rfc7395.html#section-6
  619. Guus utterly off-topic, but does someone know of a nice DIFF tool (maybe as a website) that is useful to compare two very long lines?
  620. Zash RIP the DNS method (unless DNSSEC) then?
  621. restive_monk has left
  622. Zash Guus, `wdiff` ?
  623. moparisthebest *because*: > delegation from the XMPP service domain to the connection endpoint address (if any) is accomplished via the discovery method described in Section 4. which only specifies host-meta and is secure delegation when https is used
  624. pasdesushi has joined
  625. moparisthebest yes, I unfortunately think the only answer is "_xmppconnect is insecure and cannot be used unless DNSSEC"
  626. moparisthebest "or the host happens to have a single certificate and ignores SNI in which case go for it"
  627. Neustradamus Guus: http://www.aptest.com/standards/htmldiff/htmldiff.pl?oldfile=https://xmpp.org/extensions/attic/xep-0384-0.3.0.html&newfile=https://xmpp.org/extensions/attic/xep-0384-0.8.3.html
  628. Neustradamus But there are missing XEP-XXXX versions on xmpp.org
  629. adiaholic has left
  630. adiaholic has joined
  631. goffi has joined
  632. Neustradamus Guus: Example which works, here: http://www.aptest.com/standards/htmldiff/htmldiff.pl?oldfile=https://xmpp.org/extensions/attic/xep-0384-0.3.0.html&newfile=https://xmpp.org/extensions/attic/xep-0384-0.4.0.html
  633. restive_monk has joined
  634. papatutuwawa has joined
  635. adiaholic has left
  636. atomicwatch has left
  637. Neustradamus After several recalls, to have the following, I have done a ticket here about missing XEP-XXXX versions: https://github.com/xsf/xep-attic/issues/3 :) About the Diff tool: https://github.com/xsf/xmpp.org/issues/412, originally posted on the very old-dead tracker.xmpp.org JIRA issue tracker, I think 10yo.
  638. Andrzej has joined
  639. marc0s has left
  640. marc0s has joined
  641. Guus Thanks Zash. Neustradamus, I have no clue what missing XEPs have to do with my request. It feels to me that you're trying to re-purpose my question to push forward your own agenda - exactly that what I asked you to stop doing.
  642. adiaholic has joined
  643. Neustradamus Guus: The original is the diff website :) You must to compare XEP versions, and by extension, I speak about it
  644. Guus I didn't ask about comparing XEP versions at all.
  645. Steve Kille has joined
  646. Neustradamus You can compare RFCs, or all others too, it is very easy, I use often for many years.
  647. Guus That's nice. It is not what I asked for.
  648. Kev Guus: Sometimes I like a glass of water.
  649. Guus I'm going to get one myself...
  650. Zash ☕️
  651. moparisthebest other than gajim and pidgin, anyone aware of other clients using _xmppconnect ?
  652. moparisthebest maybe I'll ask in jdev...
  653. ti_gj06 has joined
  654. me9 has joined
  655. atomicwatch has joined
  656. վարյա has left
  657. wladmis has left
  658. L29Ah has joined
  659. Andrzej has left
  660. wladmis has joined
  661. L29Ah has left
  662. huhn has joined
  663. Andrzej has joined
  664. robertooo has left
  665. Steve Kille has left
  666. floretta has left
  667. neshtaxmpp has left
  668. neshtaxmpp has joined
  669. Steve Kille has joined
  670. harry837374884 has left
  671. L29Ah has joined
  672. harry837374884 has joined
  673. atomicwatch has left
  674. Andrzej has left
  675. wladmis has left
  676. Andrzej has joined
  677. wladmis has joined
  678. wladmis has left
  679. floretta has joined
  680. wladmis has joined
  681. robertooo has joined
  682. antranigv has left
  683. Daniel Tbh I was never really sure why we even have the DNS method in the first place. From a web client perspective it always seemed more natural to just do it over http
  684. moparisthebest and if you have a client capable of doing DNS + TLS, well then it can also do https ?
  685. Zash There are other things than web clients
  686. MattJ Which of those things can do DNSSEC but not HTTPS?
  687. MattJ (oh, and you need HTTPS for BOSH anyway, so... it's pretty much certain you support it)
  688. moparisthebest nothing can do DNS+TLS and *not* HTTPS, since that is just DNS+TLS
  689. Daniel > (oh, and you need HTTPS for BOSH anyway, so... it's pretty much certain you support it) This
  690. L29Ah has left
  691. moparisthebest so I'm inclined to put a PR @ '156 to just remove the DNS method, with a note marking it existed, but was impossible to use securely
  692. Zash So why was it TXT only in the beginning?
  693. Zash Who has a time machine to go back to 2005 and ask?
  694. MattJ IIRC it also had a fallback SRV alternative originally?
  695. L29Ah has joined
  696. Daniel > so I'm inclined to put a PR @ '156 to just remove the DNS method, with a note marking it existed, but was impossible to use securely Well DNSSEC could become a thing one day. You know right after we roll out ipv6
  697. Daniel But yes I'm in favor of removing it
  698. MattJ So it was probably not expected to be used solely by web clients, and also CORS and such didn't exist at that point (flXHR was still cool)
  699. moparisthebest yes, it's *only* possible to use securely with DNSSEC, which I'm a big fan of, but that pesky "in practice" thing
  700. Zash When was XHR even invented?
  701. MattJ I think reducing the number of mechanisms in 156 is beneficial anyway
  702. flow moparisthebest, removing a method completely, just because the ecosystem of implementations does not support it, seems a bit harsh. But given that it has a security implication, and that we suspect that there are already vulnerable implementations out there, it sure would be a good idea to mention that in the XEP
  703. moparisthebest well author-wise I think we could probably reach 2 of them
  704. MattJ It's already too much that it supports both XML and JSON encodings
  705. flow Dunno, I see the point in support both XML and JSON
  706. Zash Daniel, maybe if you make Conversations stop preferring IPv4 it won't look like nobody uses IPv6
  707. moparisthebest MattJ, I was thinking that too but thought it might be too much :)
  708. harry837374884 has left
  709. MattJ Currently we have a random selection of (DNS, JSON, XML) for every XMPP service
  710. MattJ Some do all, some do some, some do none
  711. MattJ So it's not like a client can just implement one method and just work
  712. flow <strike>Dunno, I see the point in support both XML and JSON</strike> or maybe not
  713. MattJ and it's not like an operator can only advertise via one method and expect it to just work
  714. MattJ Interoperability is decreased by having so many options, with little to be gained
  715. moparisthebest let's recap, to make an XMPP connection, you must: 1. lookup 2 sets of SRV records 2. lookup 1 TXT record with DNSSEC 3. Grab+parse both a JSON and XML file over HTTPS 4. Grab+parse a JSON file over HTTPS for POSH 5. look up TLSA records over DNSSEC
  716. moparisthebest I might have missed something...
  717. MattJ Very possible :)
  718. Zash You forgot the other JSON file for POSH
  719. moparisthebest oh right, POSH supports 2 different types of redirects right ?
  720. Zash 🤷️
  721. moparisthebest http redirects and also "url in the json file" redirects
  722. atomicwatch has joined
  723. moparisthebest and therefore 2 layers of TTL
  724. moparisthebest https://www.moparisthebest.com/images/fine.gif
  725. վարյա has joined
  726. Zash Wait, did you edit in POSH or were there too many lines for me to see the POSH in?
  727. Zash Hey let's throw DANE in there
  728. moparisthebest no edit, I swear on the XML
  729. moparisthebest I mentioned dane too, TLSA records :)
  730. Zash moparisthebest: Weren't you the one who pushed for the extra set of SRV records???!
  731. moparisthebest and I'm about to push for another !
  732. Zash DANG IT
  733. moparisthebest it's highly tempting to push for 1 connection discovery method that replaces all of these, but that's clearly XKCD territory
  734. Daniel oh til that there is mod_posh for prosody
  735. moparisthebest https://xkcd.com/927/
  736. Zash and I think there's aproximately 1 server in the whole universe that it can be used with
  737. Zash and I think there's aproximately 1 server in the whole universe that it can be used to authenticate
  738. Zash 99% of POSH deployments only have the client file
  739. Daniel there is a server file?
  740. floretta has left
  741. Daniel shocked emoji
  742. moparisthebest I've got c2s and s2s working over both QUIC and WebSocket by the way, that's what brought all this up
  743. moparisthebest I really don't want 2 new methods to discover each but eh, it's hairy
  744. moparisthebest could always resurrect https://xmpp.org/extensions/inbox/hacx.html as the One True Way (tm)
  745. Zash then add 3 more
  746. harry837374884 has joined
  747. MattJ moparisthebest, maybe for QUIC require advertisement through SVCB (wait, bear with me!) - and state that if SVCB records are present, don't do anything else??
  748. atomicwatch has left
  749. Wojtek has left
  750. Zash what if your enterprise/university firewall block UDP port 443?
  751. moparisthebest MattJ, yep, and SVCB could also advertise at least starttls and direct tls too
  752. moparisthebest *maybe* websocket
  753. MattJ Exactly
  754. Wojtek has joined
  755. MattJ So a SVCB spec that combines as many of the existing steps as possible, and we keep '156/HTTPS for web stuff
  756. Wojtek has left
  757. moparisthebest yea I think that's the way to go for sure, downsides are SVCB is so new support lags behind, upsides are https needs it so that'll accelerate adoption :'(
  758. Wojtek has joined
  759. Zash https has its own variant, HTTPS
  760. Zash As a cynic I have to bet that HTTPS will become widely supported very quickly, while nothing will support SVCB
  761. homebeach has left
  762. Rixon 👁🗨 has left
  763. uhoreg has left
  764. Matthew has left
  765. Half-Shot has left
  766. Half-Shot has joined
  767. Matthew has joined
  768. Rixon 👁🗨 has joined
  769. uhoreg has joined
  770. homebeach has joined
  771. MattJ Zash, so obviously everything will only suppo... right
  772. moparisthebest it's been too long since I looked at those, need to refresh
  773. moparisthebest my current impl is using _xmppq._udp records like '368 but I really really don't want to spec that out in a XEP if it can be avoided at all
  774. djorz has joined
  775. Zash MattJ, but that's all right because you can get those records from Google / Cloudflare with DNS over HTTPS!!!111!!!
  776. Zash HTTPS all the way down 😭️
  777. Zash DNS is HTTPS, TCP is replaced by HTTPS, will the come for IP next?
  778. moparisthebest also WebSocket is not coming to http3, it's being replaced by the new hotness, WebTransport
  779. moparisthebest so obviously we'll need a XMPP-over-WebTransport also
  780. moparisthebest also seen rumblings that WebTransport will replace WebRTC so that'll also be fun
  781. Zash squints at 'Subject: Protocol Action: 'Bootstrapping WebSockets with HTTP/3' to Proposed Standard'
  782. atomicwatch has joined
  783. Andrzej has left
  784. Andrzej has joined
  785. Neustradamus has left
  786. Neustradamus has joined
  787. moparisthebest https://w3c.github.io/webtransport/ https://datatracker.ietf.org/doc/html/draft-ietf-webtrans-http3/
  788. Zash STAHP
  789. Neustradamus has left
  790. me9 has left
  791. marc0s has left
  792. marc0s has joined
  793. papatutuwawa has left
  794. Neustradamus has joined
  795. վարյա has left
  796. վարյա has joined
  797. Andrzej has left
  798. wladmis has left
  799. wladmis has joined
  800. wladmis has left
  801. wladmis has joined
  802. atomicwatch has left
  803. wladmis has left
  804. wladmis has joined
  805. Andrzej has joined
  806. wladmis has left
  807. atomicwatch has joined
  808. wladmis has joined
  809. floretta has joined
  810. Andrzej has left
  811. Andrzej has joined
  812. ti_gj06 has left
  813. ti_gj06 has joined
  814. wladmis has left
  815. Calvin has left
  816. jgart has joined
  817. adiaholic has left
  818. lskdjf has left
  819. lskdjf has joined
  820. intosi has left
  821. intosi has joined
  822. BASSGOD has left
  823. adiaholic has joined
  824. adiaholic has left
  825. adiaholic has joined
  826. djorz has left
  827. lskdjf has left
  828. Wojtek has left
  829. Wojtek has joined
  830. antranigv has joined
  831. kyemxden has left
  832. kyemxden has joined
  833. floretta has left
  834. wladmis has joined
  835. floretta has joined
  836. me9 has joined
  837. BASSGOD has joined
  838. andrey.g has joined
  839. bean has joined
  840. papatutuwawa has joined
  841. chronosx88 has left
  842. chronosx88 has joined
  843. djorz has joined
  844. chronosx88 has left
  845. chronosx88 has joined
  846. adiaholic has left
  847. norkki has joined
  848. marc0s has left
  849. marc0s has joined
  850. marc0s has left
  851. marc0s has joined
  852. intosi has left
  853. intosi has joined
  854. lskdjf has joined
  855. marc0s has left
  856. marc0s has joined
  857. ti_gj06 has left
  858. bung has joined
  859. intosi has left
  860. intosi has joined
  861. BASSGOD has left
  862. me9 has left
  863. chronosx88 has left
  864. chronosx88 has joined
  865. marc0s has left
  866. marc0s has joined
  867. ti_gj06 has joined
  868. marc0s has left
  869. marc0s has joined
  870. dwd has joined
  871. millesimus has left
  872. millesimus has joined
  873. antranigv has left
  874. marc0s has left
  875. marc0s has joined
  876. arc has joined
  877. lskdjf has left
  878. lskdjf has joined
  879. restive_monk has left
  880. arc has left
  881. arc has joined
  882. intosi has left
  883. Tobias has left
  884. Tobias has joined
  885. intosi has joined
  886. wladmis has left
  887. Guus has left
  888. antranigv has joined
  889. ti_gj06 has left
  890. robertooo has left
  891. rafasaurus has joined
  892. robertooo has joined
  893. wladmis has joined
  894. norkki has left
  895. gooya has left
  896. gooya has joined
  897. BASSGOD has joined
  898. restive_monk has joined
  899. lskdjf has left
  900. lskdjf has joined
  901. dwd has left
  902. intosi has left
  903. intosi has joined
  904. xnamed has left
  905. restive_monk has left
  906. wladmis has left
  907. lskdjf has left
  908. lskdjf has joined
  909. wladmis has joined
  910. wladmis has left
  911. Link Mauve has left
  912. wladmis has joined
  913. uhoreg has left
  914. homebeach has left
  915. Rixon 👁🗨 has left
  916. Matthew has left
  917. Half-Shot has left
  918. Half-Shot has joined
  919. Matthew has joined
  920. Rixon 👁🗨 has joined
  921. uhoreg has joined
  922. homebeach has joined
  923. wladmis has left
  924. wladmis has joined
  925. wladmis has left
  926. Link Mauve has joined
  927. wladmis has joined
  928. lskdjf has left
  929. lskdjf has joined
  930. Wojtek has left
  931. floretta has left
  932. floretta has joined
  933. intosi has left
  934. lskdjf has left
  935. lskdjf has joined
  936. xnamed has joined
  937. pasdesushi has left
  938. millesimus has left
  939. lskdjf has left
  940. lskdjf has joined
  941. marc0s has left
  942. marc0s has joined
  943. lskdjf has left
  944. lskdjf has joined
  945. pasdesushi has joined
  946. վարյա has left
  947. millesimus has joined
  948. atomicwatch has left
  949. bean has left
  950. lskdjf has left
  951. lskdjf has joined
  952. lskdjf has left
  953. lskdjf has joined
  954. lskdjf has left
  955. lskdjf has joined
  956. lskdjf has left
  957. lskdjf has joined
  958. lskdjf has left
  959. lskdjf has joined
  960. lskdjf has left
  961. lskdjf has joined
  962. lskdjf has left
  963. lskdjf has joined
  964. lskdjf has left
  965. lskdjf has joined
  966. lskdjf has left
  967. lskdjf has joined
  968. lskdjf has left
  969. lskdjf has joined
  970. վարյա has joined
  971. lskdjf has left
  972. lskdjf has joined
  973. marc0s has left
  974. marc0s has joined
  975. lskdjf has left
  976. lskdjf has joined
  977. Yagiza has left
  978. lskdjf has left
  979. lskdjf has joined
  980. karoshi has left
  981. atomicwatch has joined
  982. djorz has left
  983. me9 has joined
  984. djorz has joined
  985. msavoritias has left
  986. djorz has left
  987. djorz has joined
  988. lskdjf has left
  989. lskdjf has joined
  990. Andrzej has left
  991. Andrzej has joined
  992. argentum has joined
  993. lskdjf has left
  994. lskdjf has joined
  995. intosi has joined
  996. Link Mauve has left
  997. Link Mauve has joined
  998. wgreenhouse has left
  999. Andrzej has left
  1000. wgreenhouse has joined
  1001. intosi has left
  1002. wgreenhouse has left
  1003. Mikaela has left
  1004. me9 has left
  1005. Andrzej has joined
  1006. ti_gj06 has joined
  1007. norkki has joined
  1008. norkki has left
  1009. վարյա has left
  1010. վարյա has joined
  1011. lskdjf has left
  1012. lskdjf has joined
  1013. lskdjf has left
  1014. lskdjf has joined
  1015. lskdjf has left
  1016. lskdjf has joined
  1017. marc0s has left
  1018. marc0s has joined
  1019. marc0s has left
  1020. marc0s has joined
  1021. wgreenhouse has joined
  1022. marc0s has left
  1023. marc0s has joined
  1024. Andrzej has left
  1025. intosi has joined
  1026. Tobias has left
  1027. lskdjf has left
  1028. lskdjf has joined
  1029. Calvin has joined
  1030. karoshi has joined
  1031. intosi has left
  1032. վարյա has left
  1033. lskdjf has left
  1034. lskdjf has joined
  1035. lskdjf has left
  1036. lskdjf has joined
  1037. Calvin has left
  1038. wgreenhouse has left
  1039. Matthew has left
  1040. Rixon 👁🗨 has left
  1041. uhoreg has left
  1042. homebeach has left
  1043. Half-Shot has left
  1044. Half-Shot has joined
  1045. Matthew has joined
  1046. Rixon 👁🗨 has joined
  1047. uhoreg has joined
  1048. homebeach has joined
  1049. Andrzej has joined
  1050. wgreenhouse has joined
  1051. վարյա has joined
  1052. lskdjf has left
  1053. lskdjf has joined
  1054. wgreenhouse has left
  1055. neshtaxmpp has left
  1056. neshtaxmpp has joined
  1057. marc0s has left
  1058. marc0s has joined
  1059. floretta has left
  1060. floretta has joined
  1061. wgreenhouse has joined
  1062. Menel has left
  1063. ti_gj06 has left
  1064. atomicwatch has left
  1065. adiaholic has joined
  1066. phryk has joined
  1067. gooya has left
  1068. gooya has joined
  1069. moparisthebest update about _xmppconnect TXT record, a lot more things than I suspected use this, and so far, all of them are vulnerable to trivial MITM by DNS spoofing
  1070. papatutuwawa has left
  1071. Zash modulo how trivial DNS spoofing really is
  1072. moparisthebest pretty trivial no ?
  1073. moparisthebest but https://datatracker.ietf.org/doc/html/rfc7395#section-4 defines a single way to grab an XML host-meta file, so I think I'll propose littering '156 with warnings and obsoleting it, I'll also create a summary on standards and will be filling 9000 github issues with links to it for the vulnerable projects
  1074. Alex has left
  1075. tykayn has left
  1076. millesimus has left
  1077. Andrzej has left
  1078. jcbrand has left
  1079. intosi has joined
  1080. lskdjf has left
  1081. lskdjf has joined
  1082. floretta has left
  1083. marc0s has left
  1084. marc0s has joined
  1085. intosi has left
  1086. gooya has left
  1087. intosi has joined
  1088. gooya has joined
  1089. goffi has left
  1090. ponymontana has joined
  1091. emus has left
  1092. floretta has joined
  1093. lskdjf has left
  1094. qwestion has joined
  1095. Seve has left
  1096. Seve has joined
  1097. ponymontana has left
  1098. qwestion has left
  1099. ponymontana has joined
  1100. ponymontana has left
  1101. qwestion has joined
  1102. intosi has left
  1103. huhn has left
  1104. intosi has joined
  1105. arc has left
  1106. andrey.g has left
  1107. վարյա has left
  1108. վարյա has joined
  1109. pasdesushi has left
  1110. debacle has left
  1111. debacle has joined
  1112. intosi has left
  1113. intosi has joined
  1114. wurstsalat has left
  1115. moparisthebest well whenever the mailing list gets back to me I'll respond with: https://github.com/processone/docs.ejabberd.im/issues/113 https://github.com/JustOxlamon/TwoRatChat/issues/2 https://github.com/poVoq/converse_wp/issues/2 https://github.com/BombusMod/BombusMod/issues/130 https://github.com/hesa2020/Twitch-To-League-by-Hesa/issues/1 https://github.com/xmppjs/xmpp.js/issues/933 https://github.com/tigase/tigase-http-api/issues/8 https://github.com/tigase/tigase-extras/issues/3
  1116. bung has left
  1117. floretta has left
  1118. djorz has left
  1119. floretta has joined
  1120. karoshi has left