XSF Discussion - 2022-05-24


  1. Kev has left

  2. thilo.molitor has left

  3. thilo.molitor has joined

  4. qwestion has left

  5. floretta has left

  6. floretta has joined

  7. qwestion has joined

  8. restive_monk has left

  9. վարյա has left

  10. վարյա has joined

  11. qwestion has left

  12. gooya has left

  13. andrey.g has left

  14. thilo.molitor has left

  15. sbach has left

  16. sbach has joined

  17. thilo.molitor has joined

  18. Kev has joined

  19. adiaholic has joined

  20. adiaholic has left

  21. qwestion has joined

  22. neshtaxmpp has left

  23. neshtaxmpp has joined

  24. sbach has left

  25. qwestion has left

  26. restive_monk has joined

  27. Kev has left

  28. sbach has joined

  29. qwestion has joined

  30. neshtaxmpp has left

  31. neshtaxmpp has joined

  32. sbach has left

  33. qwestion has left

  34. sbach has joined

  35. sbach has left

  36. sbach has joined

  37. rumin-miller has joined

  38. restive_monk has left

  39. rumin-miller has left

  40. qwestion has joined

  41. Mx2 has left

  42. qwestion has left

  43. Kev has joined

  44. վարյա has left

  45. վարյա has joined

  46. qwestion has joined

  47. adiaholic has joined

  48. sbach has left

  49. sbach has joined

  50. neshtaxmpp has left

  51. qwestion has left

  52. Kev has left

  53. qwestion has joined

  54. adiaholic has left

  55. qwestion has left

  56. thilo.molitor has left

  57. Mx2 has joined

  58. thilo.molitor has joined

  59. adiaholic has joined

  60. adiaholic has left

  61. rubi has left

  62. qwestion has joined

  63. qwestion has left

  64. վարյա has left

  65. վարյա has joined

  66. adiaholic has joined

  67. rubi has joined

  68. Steve Kille has left

  69. Steve Kille has joined

  70. rubi has left

  71. adiaholic has left

  72. rubi has joined

  73. pablo has joined

  74. Kev has joined

  75. qwestion has joined

  76. adiaholic has joined

  77. harry837374884 has left

  78. qwestion has left

  79. millesimus has left

  80. floretta has left

  81. floretta has joined

  82. harry837374884 has joined

  83. Kev has left

  84. Mx2 has left

  85. Mx2 has joined

  86. millesimus has joined

  87. adiaholic has left

  88. jgart has joined

  89. sbach has left

  90. sbach has joined

  91. sbach has left

  92. sbach has joined

  93. adiaholic has joined

  94. thilo.molitor has left

  95. thilo.molitor has joined

  96. Yagiza has joined

  97. pablo has left

  98. Mx2 has left

  99. Mx2 has joined

  100. Calvin has left

  101. Mx2 has left

  102. Mx2 has joined

  103. վարյա has left

  104. վարյա has joined

  105. Kev has joined

  106. adiaholic has left

  107. adiaholic has joined

  108. adiaholic has left

  109. adiaholic has joined

  110. Kev has left

  111. վարյա has left

  112. վարյա has joined

  113. qwestion has joined

  114. debacle has joined

  115. qwestion has left

  116. adiaholic has left

  117. sbach has left

  118. sbach has joined

  119. adiaholic has joined

  120. Seve has joined

  121. qwestion has joined

  122. Calvin has joined

  123. menel has joined

  124. neshtaxmpp has joined

  125. adiaholic has left

  126. jcbrand has left

  127. qwestion has left

  128. adiaholic has joined

  129. Sam has left

  130. Calvin has left

  131. Sam has joined

  132. Kev has joined

  133. qwestion has joined

  134. qwestion has left

  135. marc0s has left

  136. marc0s has joined

  137. Tobias has joined

  138. Tobias has left

  139. Tobias has joined

  140. floretta has left

  141. floretta has joined

  142. Kev has left

  143. adiaholic has left

  144. վարյա has left

  145. վարյա has joined

  146. adiaholic has joined

  147. marc0s has left

  148. marc0s has joined

  149. sbach has left

  150. adiaholic has left

  151. Tobias has left

  152. Tobias has joined

  153. qwestion has joined

  154. qwestion has left

  155. sbach has joined

  156. վարյա has left

  157. վարյա has joined

  158. debacle has left

  159. qwestion has joined

  160. adiaholic has joined

  161. Kev has joined

  162. adiaholic has left

  163. qwestion has left

  164. harry837374884 has left

  165. Sam has left

  166. Sam has joined

  167. qwestion has joined

  168. adiaholic has joined

  169. neshtaxmpp has left

  170. neshtaxmpp has joined

  171. konstantinos has joined

  172. Kev has left

  173. adiaholic has left

  174. qwestion has left

  175. Steve Kille has left

  176. Steve Kille has joined

  177. Seve has left

  178. harry837374884 has joined

  179. Half-Shot has left

  180. homebeach has left

  181. Matthew has left

  182. uhoreg has left

  183. Half-Shot has joined

  184. Matthew has joined

  185. homebeach has joined

  186. uhoreg has joined

  187. Sam has left

  188. adiaholic has joined

  189. Paganini has left

  190. emus has joined

  191. Sam has joined

  192. msavoritias has joined

  193. debacle has joined

  194. yushyin has left

  195. rebeld22 has left

  196. Sam has left

  197. Tobias has left

  198. Tobias has joined

  199. Tobias has left

  200. Tobias has joined

  201. wurstsalat has left

  202. Tobias has left

  203. Tobias has joined

  204. sbach has left

  205. Tobias has left

  206. Tobias has joined

  207. karoshi has joined

  208. Sam has joined

  209. Seve has joined

  210. sbach has joined

  211. Sam has left

  212. Kev has joined

  213. jcbrand has joined

  214. yushyin has joined

  215. adiaholic has left

  216. sbach has left

  217. sbach has joined

  218. MattJ

    moparisthebest: sounds fine to me, but - why?

  219. sbach has left

  220. sbach has joined

  221. Sam has joined

  222. goffi has joined

  223. djorz has joined

  224. adiaholic has joined

  225. vanitasvitae has left

  226. vanitasvitae has joined

  227. atomicwatch has left

  228. adiaholic has left

  229. jonas’

    moparisthebest, to me, at least one canonical way to discover QUIC connectivity (e.g. SRV records) would seem sensible

  230. konstantinos has left

  231. Kev has left

  232. Fishbowler has left

  233. Fishbowler has joined

  234. msavoritias has left

  235. Sam has left

  236. msavoritias has joined

  237. msavoritias has left

  238. msavoritias has joined

  239. adiaholic has joined

  240. wurstsalat has joined

  241. djorz has left

  242. atomicwatch has joined

  243. Kev has joined

  244. adiaholic has left

  245. djorz has joined

  246. rion has joined

  247. adiaholic has joined

  248. Sam has joined

  249. nikhilmwarrier has joined

  250. Kev has left

  251. neshtaxmpp has left

  252. neshtaxmpp has joined

  253. adiaholic has left

  254. floretta has left

  255. adiaholic has joined

  256. Fishbowler has left

  257. Fishbowler has joined

  258. lskdjf has joined

  259. marc has joined

  260. djorz has left

  261. Maranda_ has joined

  262. floretta has joined

  263. Fishbowler has left

  264. Fishbowler has joined

  265. stp has joined

  266. qwestion has joined

  267. djorz has joined

  268. chipmnk has joined

  269. Andrzej has joined

  270. chipmnk has left

  271. nikhilmwarrier has left

  272. nikhilmwarrier has joined

  273. qwestion has left

  274. floretta has left

  275. floretta has joined

  276. Alex has joined

  277. SteveF has joined

  278. adiaholic has left

  279. Maranda_ has left

  280. Kev has joined

  281. stp has left

  282. djorz has left

  283. adiaholic has joined

  284. stp has joined

  285. qwestion has joined

  286. Andrzej has left

  287. djorz has joined

  288. bean has joined

  289. adiaholic has left

  290. marc has left

  291. Maskugatiger has joined

  292. marc has joined

  293. marc has left

  294. emus has left

  295. konstantinos has joined

  296. djorz has left

  297. adiaholic has joined

  298. Tobias has left

  299. Tobias has joined

  300. qwestion has left

  301. marc has joined

  302. adiaholic has left

  303. debacle has left

  304. adiaholic has joined

  305. floretta has left

  306. stp has left

  307. stp has joined

  308. adiaholic has left

  309. Maskugatiger has left

  310. Tim R has joined

  311. karoshi has left

  312. msavoritias has left

  313. thndrbvr has left

  314. thndrbvr has joined

  315. adiaholic has joined

  316. karoshi has joined

  317. վարյա has left

  318. վարյա has joined

  319. floretta has joined

  320. adiaholic has left

  321. msavoritias has joined

  322. xnamed has joined

  323. floretta has left

  324. qwestion has joined

  325. Sam has left

  326. sbach has left

  327. sbach has joined

  328. qwestion has left

  329. sbach has left

  330. sbach has joined

  331. sbach has left

  332. sbach has joined

  333. neshtaxmpp has left

  334. neshtaxmpp has joined

  335. qwestion has joined

  336. msavoritias has left

  337. Wojtek has joined

  338. qwestion has left

  339. emus has joined

  340. harry837374884 has left

  341. adiaholic has joined

  342. harry837374884 has joined

  343. msavoritias has joined

  344. qwestion has joined

  345. gooya has joined

  346. floretta has joined

  347. adiaholic has left

  348. Sam has joined

  349. adiaholic has joined

  350. qwestion has left

  351. վարյա has left

  352. վարյա has joined

  353. qwestion has joined

  354. qwestion has left

  355. debacle has joined

  356. konstantinos has left

  357. Sam has left

  358. karoshi has left

  359. qwestion has joined

  360. nikhilmwarrier has left

  361. nikhilmwarrier has joined

  362. Steve Kille has left

  363. Steve Kille has joined

  364. Steve Kille has left

  365. Steve Kille has joined

  366. vanitasvitae has left

  367. qwestion has left

  368. Steve Kille has left

  369. Steve Kille has joined

  370. qwestion has joined

  371. qwestion has left

  372. qwestion has joined

  373. Steve Kille has left

  374. Steve Kille has joined

  375. qwestion has left

  376. menel has left

  377. վարյա has left

  378. վարյա has joined

  379. restive_monk has joined

  380. qwestion has joined

  381. sbach has left

  382. sbach has joined

  383. qwestion has left

  384. qwestion has joined

  385. qwestion has left

  386. qwestion has joined

  387. qwestion has left

  388. lovetox has left

  389. karoshi has joined

  390. qwestion has joined

  391. konstantinos has joined

  392. qwestion has left

  393. harry837374884 has left

  394. Dele Olajide has joined

  395. lovetox has joined

  396. qwestion has joined

  397. qwestion has left

  398. harry837374884 has joined

  399. menel has joined

  400. neshtaxmpp has left

  401. neshtaxmpp has joined

  402. antranigv has joined

  403. lovetox has left

  404. adiaholic has left

  405. vanitasvitae has joined

  406. lovetox has joined

  407. adiaholic has joined

  408. msavoritias has left

  409. adiaholic has left

  410. menel has left

  411. menel has joined

  412. floretta has left

  413. Sam has joined

  414. adiaholic has joined

  415. Fishbowler has left

  416. adiaholic has left

  417. qwestion has joined

  418. Fishbowler has joined

  419. SteveF has left

  420. SteveF has joined

  421. antranigv has left

  422. SteveF has left

  423. SteveF has joined

  424. antranigv has joined

  425. Steve Kille has left

  426. Steve Kille has joined

  427. Steve Kille has left

  428. Steve Kille has joined

  429. վարյա has left

  430. վարյա has joined

  431. qwestion has left

  432. floretta has joined

  433. Sam has left

  434. Sam has joined

  435. msavoritias has joined

  436. vanitasvitae has left

  437. Wojtek has left

  438. msavoritias has left

  439. qwestion has joined

  440. Wojtek has joined

  441. neshtaxmpp has left

  442. neshtaxmpp has joined

  443. chipmnk has joined

  444. nikhilmwarrier has left

  445. qwestion has left

  446. qwestion has joined

  447. qwestion has left

  448. qwestion has joined

  449. sbach has left

  450. sbach has joined

  451. sbach has left

  452. sbach has joined

  453. adiaholic has joined

  454. qwestion has left

  455. qwestion has joined

  456. adiaholic has left

  457. wgreenhouse has left

  458. Vidak has left

  459. qwestion has left

  460. qwestion has joined

  461. wgreenhouse has joined

  462. adiaholic has joined

  463. vanitasvitae has joined

  464. qwestion has left

  465. theoneping has joined

  466. pablo has joined

  467. theoneping has left

  468. adiaholic has left

  469. qwestion has joined

  470. qwestion has left

  471. վարյա has left

  472. վարյա has joined

  473. qwestion has joined

  474. moparisthebest

    because the canonical way will be in (hopefully) xep-0156

  475. konstantinos has left

  476. pablo has left

  477. Zash

    > is there precedent Like, the core RFC defining both the TCP binding and the SRV discovery method?

  478. qwestion has left

  479. menel has left

  480. moparisthebest

    no, the opposite, *not* defining port binding or discovery, just saying "that's defined in $other-xep"

  481. menel has joined

  482. restive_monk has left

  483. antranigv has left

  484. antranigv has joined

  485. sbach has left

  486. sbach has joined

  487. qwestion has joined

  488. raghavgururajan has joined

  489. վարյա has left

  490. վարյա has joined

  491. nikhilmwarrier has joined

  492. restive_monk has joined

  493. Mx2 has left

  494. antranigv has left

  495. antranigv has joined

  496. harry837374884 has left

  497. neshtaxmpp has left

  498. neshtaxmpp has joined

  499. eevvoor has left

  500. antranigv has left

  501. qwestion has left

  502. eevvoor has joined

  503. antranigv has joined

  504. harry837374884 has joined

  505. msavoritias has joined

  506. Calvin has joined

  507. konstantinos has joined

  508. antranigv has left

  509. Sam has left

  510. Dele Olajide has left

  511. adiaholic has joined

  512. Sam has joined

  513. Mx2 has joined

  514. վարյա has left

  515. վարյա has joined

  516. neshtaxmpp has left

  517. chipmnk has left

  518. chipmnk has joined

  519. neshtaxmpp has joined

  520. Sam has left

  521. Sam has joined

  522. վարյա has left

  523. վարյա has joined

  524. antranigv has joined

  525. restive_monk has left

  526. jinxd has joined

  527. antranigv has left

  528. Paganini has joined

  529. rebeld22 has joined

  530. վարյա has left

  531. վարյա has joined

  532. sbach has left

  533. sbach has joined

  534. msavoritias has left

  535. neshtaxmpp has left

  536. neshtaxmpp has joined

  537. raghavgururajan has left

  538. restive_monk has joined

  539. antranigv has joined

  540. antranigv has left

  541. վարյա has left

  542. վարյա has joined

  543. raghavgururajan has joined

  544. antranigv has joined

  545. վարյա has left

  546. վարյա has joined

  547. վարյա has left

  548. վարյա has joined

  549. msavoritias has joined

  550. konstantinos has left

  551. nikhilmwarrier has left

  552. adiaholic has left

  553. restive_monk has left

  554. adiaholic has joined

  555. Vidak has joined

  556. msavoritias has left

  557. Titi has left

  558. atomicwatch has left

  559. atomicwatch has joined

  560. Sam has left

  561. վարյա has left

  562. վարյա has joined

  563. Sam has joined

  564. nikhilmwarrier has joined

  565. Thilo Molitor has left

  566. Thilo Molitor has joined

  567. karoshi has left

  568. karoshi has joined

  569. moparisthebest

    very interesting XMPP vuln in Zoom's implementation https://bugs.chromium.org/p/project-zero/issues/detail?id=2254

  570. karoshi has left

  571. Sam has left

  572. sbach has left

  573. sbach has joined

  574. karoshi has joined

  575. sbach has left

  576. sbach has joined

  577. konstantinos has joined

  578. Sam has joined

  579. restive_monk has joined

  580. pablo has joined

  581. adiaholic has left

  582. floretta has left

  583. Sam has left

  584. Sam has joined

  585. konstantinos has left

  586. adiaholic has joined

  587. restive_monk has left

  588. msavoritias has joined

  589. emus

    moparisthebest: is that something that should have attention from our side?

  590. floretta has joined

  591. sbach has left

  592. sbach has joined

  593. Sam has left

  594. pablo has left

  595. vanitasvitae

    The XML parser stuff might be interesting

  596. vanitasvitae

    As the stanza smuggling attack could also be used on other clients

  597. vanitasvitae

    /servers

  598. Sam has joined

  599. flow

    It appears that Gloox rolled much of its Unicode and XML parsing code itself, which makes such vulnerabilities more likely. Not using existing libs may be fine if you target constraint low-end embedded devices. But the Zoom client typically runs on none of those

  600. vanitasvitae

    Ah, I thought gloox was an XML parser lib, not an XMPP client library :D

  601. vanitasvitae

    Well, apparently its both :P

  602. flow

    If we want to spin the story away from "XMPP is so complicated because it uses Unicode and XML, hence there are such security issues", then we should point out that there are robust, sound, and battle tested libraries for the heavy-lifting of the low-level stuff, which, if used, make such issues much less likely

  603. flow

    In fact the Project Zero report even mentions (and praises) ejabberd for its validation

  604. antranigv has left

  605. pablo has joined

  606. antranigv has joined

  607. restive_monk has joined

  608. djorz has joined

  609. derdaniel has joined

  610. adiaholic has left

  611. coleman has left

  612. antranigv has left

  613. antranigv has joined

  614. adiaholic has joined

  615. derdaniel

    moparisthebest: am I remembering this correctly that you had some quic to xmpp c2s termination proxy thing?

  616. derdaniel has left

  617. Daniel has joined

  618. moparisthebest

    flow, idk seems like most of our vulns have been *because* of using existing XML libs that support way-more-than-XMPP-needs

  619. Daniel

    A found it. Never mind

  620. moparisthebest

    yep https://github.com/moparisthebest/xmpp-proxy

  621. Sam

    > Client messages are sent over the same stream connection as control messages from the server. This specifically interests me and is something I've thought about separating in the past. Maybe multiplexed quic streams could do this as an additional separation if security

  622. antranigv has left

  623. xecks has left

  624. xecks has joined

  625. sbach has left

  626. sbach has joined

  627. Daniel

    Maybe that's a naive question but would we use raw quic or rather something bosh over HTTP/3?

  628. jonas’

    the former

  629. jonas’

    use QUIC as a modern replacement for TCP+TLS

  630. jonas’

    don't stuff HTTP in there, that's just needless overhead

  631. moparisthebest

    I think ^ until websockets-over-http3 is standardized and then we can use that to evade the evil firewalls

  632. jonas’

    aaand here I'm sad again

  633. moparisthebest

    what's sad about that? a client tries to connect all the ways, it'd probably prefer plain QUIC, but if blocked, go to other methods?

  634. jonas’

    I'd rather have clients take a pickaxe and smash that firewall to pieces

  635. jonas’

    *ahem*

  636. moparisthebest

    I can't disagree with that

  637. jonas’

    also, all the good technology going to waste just because some idiot firewalls

  638. moparisthebest

    *but* XMPP has to *just work* like Signal does, users are uninterested with long explanations about how they should talk to their network administrator

  639. jonas’

    so much damage for nothing

  640. jonas’

    see, I'll rather clean the kitchen than continuing to think about this

  641. moparisthebest

    I'm curious to see if QUIC/http3 itself will actually ever make it through firewalls

  642. Daniel

    So what are the bits (roughly) that a xep would have to specify?

  643. moparisthebest

    I reckon a ton of networks currently block UDP on port 443

  644. jonas’

    moparisthebest, google will make it happen, one way or another

  645. jonas’

    "hey enterprise, you're using gmail corporate, right? well it will stop working if you don't allowlist udp 443"

  646. debacle has left

  647. debacle has joined

  648. moparisthebest

    Daniel, honestly hardly anything, tl;dr "connect and validate cert like TLS, use bi-directional streams only, each stream is treated as already authenticated as the cert implies, open as many as you want for 'different connections', use connection roaming if you can </eof>"

  649. antranigv has joined

  650. djorz has left

  651. moparisthebest

    in some future where google has ensured UDP on 443 always works we could recommend not using stream-management but I think we are far off there (for when you are disconnected and can only connect back over TCP+TLS)

  652. Daniel

    So there wouldn't be any type of a stanza is a frame or something like that? (asking as someone who doesn't know what a frame is)

  653. Steve Kille has left

  654. moparisthebest

    nope, to application code it's identical to a TCP stream

  655. nikhilmwarrier has left

  656. moparisthebest

    there are other types of "transports" you can use under a QUIC session but I think they are uninteresting for XMPP, there are one-way streams for instance

  657. Daniel

    ok. i thought that maybe 'frames' could take over some part of stream managment acks or so

  658. Dele Olajide has joined

  659. restive_monk has left

  660. Zash

    My instinct would be that those are orthogonal things at different layers.

  661. moparisthebest

    https://docs.rs/quinn/latest/quinn/struct.Connection.html#method.send_datagram

  662. moparisthebest

    that's the other thing you can do besides bi-directional and uni-directional streams

  663. moparisthebest

    but it's basically sending a UDP packet, un-ordered, no guarantees on delivery, must be "small enough"

  664. moparisthebest

    Daniel, after tying up some loose ends and writing the XEPs I plan to try to expose xmpp-proxy as a java library and make it take over for Conversation's network code, giving it the ability to do QUIC and Websockets all in one go, no idea how this will work out though :)

  665. moparisthebest

    it sounds like one of those things that is easier said than done

  666. Steve Kille has joined

  667. Dele Olajide has left

  668. Dele Olajide has joined

  669. Dele Olajide has left

  670. Dele Olajide has joined

  671. debacle has left

  672. floretta has left

  673. neshtaxmpp has left

  674. neshtaxmpp has joined

  675. restive_monk has joined

  676. flow

    Daniel, I'd expect XMPP over QUIC feels just like XMPP over TCP+TLS

  677. flow

    so instead of a TlsSocket where you shove raw bytes into and read from, you have a QuickSocket

  678. flow

    you'd still want to use stream mangement, even if QUIC provides this functionality already, if you want to be able to resume a stream over a different transport mechanism

  679. moparisthebest

    yep ^

  680. flow

    of course you could re-use QUIC resumption is your transport stays QUIC during a connectivity change

  681. moparisthebest

    so do we know of any XMPP clients that use gloox ? or that parse ascii vs UTF-8 ? seems like this attack is generic in that way

  682. Daniel

    > so instead of a TlsSocket where you shove raw bytes into and read from, you have a QuickSocket That's what I initially hoped but the existing Java quic libraries make this all look a little bit more complex than that

  683. jinxd has left

  684. flow

    isn't there just one QUIC library for java?

  685. moparisthebest

    you have to be careful searching for them, old ones say QUIC but mean HTTP3 because that's what it was before it was re-named

  686. flow

    moparisthebest, fwiw, these are the reverse dependencies of gloox that ::gentoo nows: https://qa-reports.gentoo.org/output/genrdeps/rindex/net-libs/gloox

  687. adiaholic has left

  688. flow

    you could probably do a similar search for e.g. debian packages

  689. restive_monk has left

  690. djorz has joined

  691. Daniel

    > isn't there just one QUIC library for java? flow: maybe? Which one are you talking about?

  692. Dele Olajide has left

  693. adiaholic has joined

  694. moparisthebest

    hmm gloox hasn't had an update since 2020, wonder if it's still developed or if they were given a heads up, will see if the JID works :)

  695. debacle has joined

  696. flow

    https://github.com/ptrd/kwik

  697. Dele Olajide has joined

  698. Tim R has left

  699. Tim R has joined

  700. Tim R has left

  701. moparisthebest

    > The TLS library used by Kwik is also "home made"

  702. moparisthebest

    hard pass

  703. Wojtek has left

  704. karoshi has left

  705. krauq has left

  706. xnamed has left

  707. Zash

    > it's encrypted and secured by TLS (not as a separate layer, but embedded in the protocol) AIUI you can't use existing TLS libraries as-is unless they have QUIC support

  708. adiaholic has left

  709. marc has left

  710. adiaholic has joined

  711. xnamed has joined

  712. moparisthebest

    right, but all the maintained ones have that by now

  713. coleman has joined

  714. moparisthebest

    Kwik literally says not to use it for security sensitive things, yet it's a TLS replacement, footgun much

  715. jgart has left

  716. marc has joined

  717. Alex

    Memberbot is online for our Q2 2022 elections.

  718. restive_monk has joined

  719. sbach has left

  720. sbach has joined

  721. sbach has left

  722. sbach has joined

  723. adiaholic has left

  724. pep.

    Gloox is used by renga, on haiku

  725. pep.

    ^ pulkomandy

  726. pep.

    Dunno if he's here or just jdev

  727. moparisthebest

    thanks pep. , joined their muc and let them know

  728. Sam has left

  729. adiaholic has joined

  730. moparisthebest

    gloox dev's JID is alive, no response yet, I'll say in here if I get one

  731. stpeter has joined

  732. debacle has left

  733. Sam has joined

  734. xnamed has left

  735. xnamed has joined

  736. msavoritias has left

  737. floretta has joined

  738. Sam has left

  739. krauq has joined

  740. jinxd has joined

  741. adiaholic has left

  742. neshtaxmpp has left

  743. adiaholic has joined

  744. neshtaxmpp has joined

  745. Sam has joined

  746. konstantinos has joined

  747. msavoritias has joined

  748. neshtaxmpp has left

  749. neshtaxmpp has joined

  750. Tim R has joined

  751. flow

    moparisthebest, what exactly did you ask gloox's dev?

  752. moparisthebest

    > hi! I got your JID from the gloox website, wondered if you were made aware of a recent vulnerability found in gloox or not? https://bugs.chromium.org/p/project-zero/issues/detail?id=2254

  753. karoshi has joined

  754. flow

    I'd somehow assume that he is aware of this. I wonder if gloox being gpl even suggests that zoom bought a license from him

  755. flow

    or if they used gloox under the GPL, which means free zoom source for everyone!!!

  756. flow

    Daniel, fwiw: https://github.com/ptrd/kwik/blob/3458cd17f76d9cd0ad0b17536af6bcd03bb96081/src/main/java/net/luminis/quic/run/SampleClient.java#L57-L61

  757. lovetox has left

  758. Daniel

    flow: 👍

  759. flow

    now of course, the question is if kwik is portable and runs on android

  760. coleman has left

  761. coleman has joined

  762. moparisthebest

    Daniel: please pay attention to "Kwik implemented it's own TLS lib and should not be used" from it's readme

  763. raghavgururajan has left

  764. Daniel

    Yes I saw that. I have no plans on using that

  765. flow

    yep, that was just to show that quic client libraries provide a stream abstraction of the quic transport

  766. moparisthebest

    Cool, easy to miss, scares me they don't put that up top :/

  767. moparisthebest

    I'll soon see how much of a nightmare interfacing rust and Java/Android is in practice :'(

  768. stpeter

    Wow, is Jakob Schröter still maintaining gloox? He's been working on that for ages.

  769. xnamed has left

  770. flow

    he certainly has

  771. stpeter

    I mean, we had a commercial license for it at JINC circa 2004 (IIRC).

  772. moparisthebest

    You can tell it's been ages because he uses SVN :)

  773. stpeter

    heh

  774. moparisthebest

    Could be CVS I guess

  775. Kev

    > I'd somehow assume that he is aware of this. I wonder if gloox being gpl even suggests that zoom bought a license from him I know Jakob selling licenses was a thing, I would assume Zoom did (shame they didn't pick Swiften :D)

  776. *IM* has left

  777. Kev

    Ah, Peter got here before me.

  778. lovetox has joined

  779. stpeter waves to Kev

  780. marc has left

  781. Kev waves back

  782. moparisthebest

    Kev: what does swiften use for parsing XML?

  783. moparisthebest

    Seems like this class of bug could be rather widespread

  784. moparisthebest

    I mean hopefully no XMPP clients are downloading and running software but the impersonation aspect

  785. Kev

    Expat or libxml2 at user's choice.

  786. Kev

    libxml2 being the better choice.

  787. Kev

    s/user's choice/dev's choice/

  788. harry837374884 has left

  789. marc has joined

  790. Dele Olajide has left

  791. harry837374884 has joined

  792. moparisthebest

    Would be interesting to do an inventory of all the various XML parsers and see if any parse differently like this

  793. flow

    Kev, why libxml2 >> Expat?

  794. moparisthebest

    And by interesting I mean I would enjoy reading someone else's summary because that seems like an absolutely massive amount of work :D

  795. papatutuwawa has joined

  796. adiaholic has left

  797. sbach has left

  798. sbach has joined

  799. sbach has left

  800. sbach has joined

  801. adiaholic has joined

  802. Ingolf has left

  803. adiaholic has left

  804. Ingolf has joined

  805. Tobias has left

  806. Tobias has joined

  807. Andrzej has joined

  808. Tobias has left

  809. Tobias has joined

  810. Tobias has left

  811. Tobias has joined

  812. Dele Olajide has joined

  813. antranigv has left

  814. harry837374884 has left

  815. harry837374884 has joined

  816. Andrzej has left

  817. Tim R has left

  818. Kev

    flow: I honestly don't remember why I think that :D

  819. djorz has left

  820. floretta has left

  821. Tobias has left

  822. Tobias has joined

  823. antranigv has joined

  824. stpeter has left

  825. Sam has left

  826. Tim R has joined

  827. Sam has joined

  828. adiaholic has joined

  829. chipmnk has left

  830. chipmnk has joined

  831. antranigv has left

  832. antranigv has joined

  833. antranigv has left

  834. antranigv has joined

  835. Tobias has left

  836. Tobias has joined

  837. moparisthebest

    oh, that's also an expat bug (reported, was it fixed?) and a bug in ejabberd's fast_xml, fun stuff

  838. moparisthebest

    so much for flow 's "well tested libraries" eh :P

  839. Tobias has left

  840. Tobias has joined

  841. neshtaxmpp has left

  842. neshtaxmpp has joined

  843. karoshi has left

  844. moparisthebest

    expat CVEs: https://nvd.nist.gov/vuln/detail/CVE-2022-25236 / https://nvd.nist.gov/vuln/detail/CVE-2022-25235

  845. jonas’

    what are we looking at? anything I should watch out for in rxml? dino doesn't have sufficient scrollback and I am too tired to open my poezio shell and scroll.

  846. moparisthebest

    jonas’, about, 3 or 4 XML-specific bugs not counting the zoom RCE from https://bugs.chromium.org/p/project-zero/issues/detail?id=2254

  847. moparisthebest

    and yes re: rxml, basically does it parse these the same way expat does, what does it do in the face of utf-8 nonsense etc

  848. moparisthebest

    in english the bug is roughly "can you pass a single stanza through a server that a client interprets as more-than-one stanza"

  849. moparisthebest

    if so, since the server isn't checking the inner one, you can spoof literally anything to the client

  850. emus

    *Those are the accepted contributors for the XSF!!!* *A warm welcome again Patiga and Pawbud! * *I will communicated via our channels soon! Are there any annotations here?* Patiga: More flexibility in dino file transfers Resource-wise, messenger applications tend to be on the lightweight side of the spectrum. This drastically changes when file transfers are added to the equation. File transfers can introduce arbitrary more resource-usage, both on network and data storage aspects. To alleviate this issue, stateless file sharing empowers the user to make informed decisions on which files to load. Deliverables • Unified handling of http and jingle (peer-to-peer) file transfers • Enable sending metadata alongside files • Thumbnail previews for images https://summerofcode.withgoogle.com/programs/2022/projects/z9ixHTWZ Pawbud: Adding support for Audio/Video Communication via Jingle The idea is to add support for Audio & Video communication through the Jingle protocol. The goal is to create a Converse plugin that adds the ability to make one-on-one audio/video calls from Converse. The audio/video calls will be compatible with other XMPP clients. https://summerofcode.withgoogle.com/programs/2022/projects/0nRwZN19

  851. jonas’

    moparisthebest, well, rxml uses rust strings, and as I don't have any unsafe { from_utf8_unchecked(..) } in there, I should be golden on the UTF-8 front I think.

  852. adiaholic has left

  853. adiaholic has joined

  854. moparisthebest

    I suspect so also

  855. jonas’

    oh god

  856. jonas’

    the gloox/expat mixture there is explosive, and a nice find

  857. jonas’

    meanwhile, people complaining that rxml refuses <?xml-stylesheet ..?>

  858. konstantinos has left

  859. mh has left

  860. Zash

    muh nice-looking atom feeds!

  861. moparisthebest

    I'm pretty much completely convinced at this point that using generic XML libraries for XMPP is a giant mistake

  862. jonas’

    said the one dissecting XMPP streams with .find() ;P

  863. jonas’

    (which is just barely better)

  864. moparisthebest

    I agree, I just think it's better than pulling in expat, rxml didn't exist at that point :P

  865. junaid has joined

  866. jonas’

    may 11 vs. apr 14, you win, but only barely

  867. sbach has left

  868. sbach has joined

  869. mh has joined

  870. sbach has left

  871. moparisthebest

    besides, mine sits in between the server and the client, so I've got parsers on both ends, it doesn't actually matter if I forward crap :D

  872. sbach has joined

  873. Zash

    Wouldn't .find([<>]) be sensitive to broken half of UTF-8 sequences messing with it?

  874. jonas’

    Zash, uhhhh

  875. jonas’

    iiiinteresting

  876. antranigv has left

  877. jonas’

    though that'd then drop dead on the real parsers on the other end (if it's not gloox, apparently. or expat?)

  878. Zash

    which was what I gathered from that Zoom issue

  879. jonas’

    and another point in moparisthebest's favour is that initially, rxml had its own utf8 decoder, which wasn't just slow but also a source of errors (most of which *probably* have been found by fuzzing, but you never know)

  880. jonas’

    and another point in moparisthebest's favour is that initially, rxml had its own utf8 decoder, which wasn't just slow but also a source of errors (most of which *probably* had eventually been found by fuzzing, but you never know)

  881. moparisthebest

    that scared me and is why I didn't consider using it originally, but now you said that's gone, and I just haven't went back and looked again yet

  882. konstantinos has joined

  883. moparisthebest

    I'd only be using it for websocket <-> regular xmpp conversions, the only other thing I use find() for is extracting the target domain from <stream to= which even ejabberd doesn't use a proper XML parser on, it's fine :D

  884. floretta has joined

  885. moparisthebest

    otherwise it doesn't parse any XML, that's the whole point even

  886. jonas’

    doesn't it do that to enforce stanza size limits?

  887. Half-Shot has left

  888. homebeach has left

  889. Matthew has left

  890. uhoreg has left

  891. Half-Shot has joined

  892. Matthew has joined

  893. homebeach has joined

  894. uhoreg has joined

  895. xnamed has joined

  896. Tobias has left

  897. Tobias has joined

  898. moparisthebest

    no, it enforces stanza size limits without parsing XML

  899. jonas’

    it counts delimiters, which for me counts as parsing XML

  900. moparisthebest

    it spits out whole stanzas at a time, that may or may not be valid XML, but they are complete stanzas under the specified length limit

  901. adiaholic has left

  902. mh has left

  903. djorz has joined

  904. moparisthebest

    it's only counting, forward-only (never backtracking), not allocating ever, and stops at a pre-defined limit, I know these are famous last words but I don't think it could ever be vulnerable to anything :)

  905. jonas’

    fun fact: a bug in the depth counting in aioxmpp led to a viable remote stanza smuggling attack :)

  906. karoshi has joined

  907. moparisthebest

    but that's an XML parser no? this is "here is a byte slice, if it's valid XML it's a whole stanza, not a partial one, have fun"

  908. jonas’

    that was actually after the xml parser

  909. konstantinos has left

  910. jonas’

    just counting startelement/endelement can be surprisingly tricky

  911. adiaholic has joined

  912. jonas’

    https://github.com/horazont/aioxmpp/commit/29ff0838a40f58efe30a4bbcea95aa8dab7da475 fwiw

  913. moparisthebest

    the point is you can then use a dom parser, so it's basically like websocket then, you don't need a SAX parser to tell you when a stanza begins/ends

  914. moparisthebest

    websocket also says "here is a byte slice, if it's valid XML it's a whole stanza, not a partial one, have fun"

  915. mh has joined

  916. Tobias has left

  917. Tobias has joined

  918. adiaholic has left

  919. Dele Olajide has left

  920. adiaholic has joined

  921. flow

    moparisthebest, at leat someone will look at the libraries. if everyone uses their own implemention, then bugs will propably go unnoticed forever. Note that I was mentally excluding all C/C++ kind of libaries. I am not sure if any network facing application should ever use those, especially clients, but proably also server applications

  922. sernick has joined

  923. moparisthebest

    How many years have people looked at expat, how many CVEs in the last year

  924. moparisthebest

    But yes I agree in general that well tested XMPP-specific libraries in sane languages should be used widely

  925. jonas’

    I haven't yet seen anything like rxml in other languages

  926. jonas’

    maybe I should see if I can make a C interface for it?

  927. flow

    while I don't see the need for XMPP specific XML and Unicode libraries, I am happy that we can at least aggree that code should be well-tested

  928. flow

    that said, I wouldn't mind if XML parsers had different module like "XMPP restricted"

  929. djorz has left

  930. flow

    I know the evil unrestricted code would be still there, and depending on the paranoia level, this will bother some

  931. marc has left

  932. marc has joined

  933. Sam has left

  934. atomicwatch has left

  935. Yagiza has left

  936. harry837374884 has left

  937. Sam has joined

  938. sernick has left

  939. moparisthebest

    C devs, the theory: I know how to manage my own memory, I won't write unsafe code

  940. atomicwatch has joined

  941. moparisthebest

    C devs, the practice: 85% of security vulnerabilites are unsafe memory management

  942. moparisthebest

    XMPP devs, the theory: I know how to properly configure expat/my XML lib

  943. moparisthebest

    XMPP devs, the practice: 85% of security vulnerabilities are mis-configured expat (ok I made up this % but I bet it's close :P)

  944. Half-Shot has left

  945. homebeach has left

  946. Matthew has left

  947. uhoreg has left

  948. Half-Shot has joined

  949. Matthew has joined

  950. homebeach has joined

  951. uhoreg has joined

  952. flow

    Well, no, I actually believe first-time XMPP devs will often just grab the XML parser and be happy that it works

  953. flow

    So we do have a similar situation here as we have with XHTML-IM: people just use the first tool that comes to their mind, and are happy that it works

  954. flow

    that said, I believe software, especially libraries should be as restrictive as possible per default, and "explode" if the boundaries of the restrictions are crossed

  955. flow

    then people can decide if they want to relax the restrictions

  956. lovetox

    so lets deprecate xml parsers

  957. lovetox

    every developer needs to write his own from now on

  958. flow

    I don't see how XML libraries specialized for XMPP would help, in fact, I fear that this would further fragment the software ecosystem

  959. moparisthebest

    flow, would you call prosody and ejabberd developers "first-time devs" ? because both have had misconfigured-expat bugs in the last few months

  960. restive_monk has left

  961. flow

    but, again, I wouldn't mind XML parser being restrictive by default and providing specialized modes

  962. moparisthebest

    we can keep pretending like it won't ever happen again but we all know it will

  963. flow

    moparisthebest, well, I did not claim that expert users do not run into this

  964. moparisthebest

    it's not the fault of any of these devs by the way, it's impossible to sanely configure a beast like that

  965. flow

    that statement strikes me as an exaggeration

  966. flow

    but that may be because I am happy with my Java parsers :)

  967. moparisthebest

    ok, let's revisit it if we can go a year without expat problems, let me know :P

  968. flow

    (java xml parser exploit in Smack in 5, 4, 3, 2, …

  969. flow

    (java xml parser exploit in Smack in 5, 4, 3, 2, …)

  970. flow

    sure, but I wonder if libxml2 isn't really the go to C(/C++) XML parser

  971. jonas’

    isn't expat the only SAX-capable C/C++ XML parser?

  972. debacle has joined

  973. flow

    hmm there is also Xerces

  974. flow

    which claims to be SAX

  975. jonas’

    which is even more exotic to me than expat fwiw

  976. jonas’

    (also mind that expat is backing python's xml module)

  977. flow

    dunno, i've heard and stumbled over xerces in a few places

  978. jonas’

    first time I recall hearing about it

  979. harry837374884 has joined

  980. flow

    yeah, but I think it's the java flavor of xerces

  981. flow

    xerces-c doesn't seem to have that much traction: https://github.com/apache/xerces-c/graphs/contributors

  982. flow

    compared with

  983. flow

    https://github.com/libexpat/libexpat/graphs/contributors

  984. flow

    https://github.com/GNOME/libxml2/graphs/contributors

  985. Kev

    So, listen, I've just had a completely novel and crazy idea. How about we use something other than XML? I've heard great things about YAML...

  986. flow

    cap'n'proto ftw

  987. sbach has left

  988. sbach has joined

  989. adiaholic has left

  990. moparisthebest

    wow, this is worse than I thought, it's simple math really, let's guess which has more bugs:

  991. moparisthebest

    $ ./scc libxml2/ ─────────────────────────────────────────────────────────────────────────────── Language Files Lines Blanks Comments Code Complexity ─────────────────────────────────────────────────────────────────────────────── C 107 279146 24353 46516 208277 55075 C Header 66 16451 1547 4402 10502 308

  992. moparisthebest

    expat: C Header 23 3464 331 1545 1588 40 C 22 29409 2162 2838 24409 4621

  993. moparisthebest

    rxml: Rust 25 16202 757 1944 13501 444

  994. moparisthebest

    it's *absolutely astounding* that libxml2 has 10x the C code that expat does holy hell

  995. jonas’

    well, expat doesn't have a DOM, does it. nor does it do xslt or xpath.

  996. moparisthebest

    wonder how it factors code complexity cause each one is a few orders of magnitude off haha

  997. moparisthebest

    jonas’, challenge: expat-compatible API for rxml, just no-op all the configuration functions :D

  998. djorz has joined

  999. jonas’

    moparisthebest, I have that on my todo, actually, but only for lua-expat :)

  1000. Fishbowler has left

  1001. Fishbowler has joined

  1002. restive_monk has joined

  1003. neshtaxmpp has left

  1004. neshtaxmpp has joined

  1005. restive_monk has left

  1006. atomicwatch has left

  1007. moparisthebest

    flow, xerces: Java 832 260492 31434 86353 142705 30512 almost as many lines as libxml2 but 8x the files, god bless java

  1008. nuron has left

  1009. emus

    Welcome our Google Summer of Code contributors! - Patiga will work on more flexible file transfers in #Dino https://summerofcode.withgoogle.com/programs/2022/projects/z9ixHTWZ - PawBud will work towards adding support for A/V #communication via #Jingle in #ConverseJS https://summerofcode.withgoogle.com/programs/2022/projects/0nRwZN19 #XMPP #GSoC #Google #Standards https://fosstodon.org/web/@xmpp/108358826402429966 https://twitter.com/xmpp/status/1529199174729728000

  1010. nuron has joined

  1011. Tim R has left

  1012. rebeld22

    emus: No one wants to work for Google.

  1013. david has joined

  1014. david has left

  1015. jonas’

    rebeld22, excuse me what?

  1016. jonas’

    that's not exactly "welcoming"

  1017. david has joined

  1018. david has left

  1019. wgreenhouse has left

  1020. arc has joined

  1021. papatutuwawa has left

  1022. rebeld22

    jonas’: Sorry, but what you mean?

  1023. wgreenhouse has joined

  1024. emus

    I assume it's time to say good night! 👻️

  1025. thndrbvr has left

  1026. thndrbvr has joined

  1027. Sam has left

  1028. restive_monk has joined

  1029. Sam has joined

  1030. atomicwatch has joined

  1031. msavoritias has left

  1032. adiaholic has joined

  1033. adiaholic has left

  1034. Dele Olajide has joined

  1035. bean has left

  1036. djorz has left

  1037. Sam has left

  1038. djorz has joined

  1039. Sam has joined

  1040. Kev has left

  1041. restive_monk has left

  1042. Kev has joined

  1043. Kev has left

  1044. Kev has joined

  1045. emus

    I'm in my bed already, but if someone volunteers to guide the user that unspecified asks for help below the Fosstodon tweet - that would be really great! 🙏❤

  1046. sbach has left

  1047. sbach has joined

  1048. antranigv has joined

  1049. qy

    jonas’, known troll-type

  1050. pablo has left

  1051. qy

    ooh, finally an implementation of SFS

  1052. qy

    good luck, Pagita

  1053. qy

    good luck, Patiga!

  1054. floretta has left

  1055. moparisthebest

    ooh, that is full of foot-guns of the unlimited-sized-stream variety ala https://www.moparisthebest.com/httppppppppppp-upload/

  1056. qy

    moparisthebest, maybe you should find them on xmpp and help out?

  1057. qy

    will there be a muc for this work, or a repo

  1058. moparisthebest

    dino devs have a handle on it :D

  1059. qy

    heh

  1060. marc has left

  1061. marc has joined

  1062. atomicwatch has left

  1063. Kev has left

  1064. antranigv has left

  1065. Mx2 has left

  1066. wgreenhouse has left

  1067. debacle has left

  1068. *IM* has joined

  1069. Calvin has left

  1070. Tobias has left

  1071. adiaholic has joined

  1072. menel has left

  1073. antranigv has joined

  1074. wgreenhouse has joined

  1075. adiaholic has left

  1076. pablo has joined

  1077. coleman has left

  1078. coleman has joined

  1079. վարյա has left

  1080. վարյա has joined

  1081. neshtaxmpp has left

  1082. neshtaxmpp has joined

  1083. marc has left

  1084. djorz has left

  1085. antranigv has left

  1086. SteveF has left

  1087. pjn has left

  1088. Dele Olajide has left

  1089. pjn has joined

  1090. goffi has left

  1091. Kev has joined

  1092. floretta has joined

  1093. djorz has joined

  1094. neshtaxmpp has left

  1095. Kev has left

  1096. sbach has left

  1097. sbach has joined

  1098. david has joined

  1099. david has left

  1100. jinxd has left

  1101. jgart has joined

  1102. Dele Olajide has joined

  1103. emus has left

  1104. jgart has left

  1105. Titi has joined

  1106. xnamed has left

  1107. adiaholic has joined

  1108. jgart has joined

  1109. adiaholic has left

  1110. jgart has left

  1111. floretta has left

  1112. karoshi has left

  1113. Kev has joined

  1114. floretta has joined

  1115. xnamed has joined

  1116. neshtaxmpp has joined

  1117. adiaholic has joined

  1118. Mx2 has joined

  1119. Dele Olajide has left

  1120. lskdjf has left

  1121. djorz has left

  1122. adiaholic has left

  1123. antranigv has joined

  1124. neshtaxmpp has left

  1125. neshtaxmpp has joined

  1126. pjn has left

  1127. antranigv has left

  1128. antranigv has joined

  1129. pjn has joined

  1130. Kev has left

  1131. floretta has left

  1132. floretta has joined

  1133. Kev has joined

  1134. pablo has left

  1135. վարյա has left

  1136. վարյա has joined

  1137. sbach has left

  1138. sbach has joined

  1139. sbach has left

  1140. sbach has joined

  1141. Kev has left

  1142. Kev has joined