XSF Discussion - 2022-05-24

  1. Kev has left
  2. thilo.molitor has left
  3. thilo.molitor has joined
  4. qwestion has left
  5. floretta has left
  6. floretta has joined
  7. qwestion has joined
  8. restive_monk has left
  9. վարյա has left
  10. վարյա has joined
  11. qwestion has left
  12. gooya has left
  13. andrey.g has left
  14. thilo.molitor has left
  15. sbach has left
  16. sbach has joined
  17. thilo.molitor has joined
  18. Kev has joined
  19. adiaholic has joined
  20. adiaholic has left
  21. qwestion has joined
  22. neshtaxmpp has left
  23. neshtaxmpp has joined
  24. sbach has left
  25. qwestion has left
  26. restive_monk has joined
  27. Kev has left
  28. sbach has joined
  29. qwestion has joined
  30. neshtaxmpp has left
  31. neshtaxmpp has joined
  32. sbach has left
  33. qwestion has left
  34. sbach has joined
  35. sbach has left
  36. sbach has joined
  37. rumin-miller has joined
  38. restive_monk has left
  39. rumin-miller has left
  40. qwestion has joined
  41. Mx2 has left
  42. qwestion has left
  43. Kev has joined
  44. վարյա has left
  45. վարյա has joined
  46. qwestion has joined
  47. adiaholic has joined
  48. sbach has left
  49. sbach has joined
  50. neshtaxmpp has left
  51. qwestion has left
  52. Kev has left
  53. qwestion has joined
  54. adiaholic has left
  55. qwestion has left
  56. thilo.molitor has left
  57. Mx2 has joined
  58. thilo.molitor has joined
  59. adiaholic has joined
  60. adiaholic has left
  61. rubi has left
  62. qwestion has joined
  63. qwestion has left
  64. վարյա has left
  65. վարյա has joined
  66. adiaholic has joined
  67. rubi has joined
  68. Steve Kille has left
  69. Steve Kille has joined
  70. rubi has left
  71. adiaholic has left
  72. rubi has joined
  73. pablo has joined
  74. Kev has joined
  75. qwestion has joined
  76. adiaholic has joined
  77. harry837374884 has left
  78. qwestion has left
  79. millesimus has left
  80. floretta has left
  81. floretta has joined
  82. harry837374884 has joined
  83. Kev has left
  84. Mx2 has left
  85. Mx2 has joined
  86. millesimus has joined
  87. adiaholic has left
  88. jgart has joined
  89. sbach has left
  90. sbach has joined
  91. sbach has left
  92. sbach has joined
  93. adiaholic has joined
  94. thilo.molitor has left
  95. thilo.molitor has joined
  96. Yagiza has joined
  97. pablo has left
  98. Mx2 has left
  99. Mx2 has joined
  100. Calvin has left
  101. Mx2 has left
  102. Mx2 has joined
  103. վարյա has left
  104. վարյա has joined
  105. Kev has joined
  106. adiaholic has left
  107. adiaholic has joined
  108. adiaholic has left
  109. adiaholic has joined
  110. Kev has left
  111. վարյա has left
  112. վարյա has joined
  113. qwestion has joined
  114. debacle has joined
  115. qwestion has left
  116. adiaholic has left
  117. sbach has left
  118. sbach has joined
  119. adiaholic has joined
  120. Seve has joined
  121. qwestion has joined
  122. Calvin has joined
  123. menel has joined
  124. neshtaxmpp has joined
  125. adiaholic has left
  126. jcbrand has left
  127. qwestion has left
  128. adiaholic has joined
  129. Sam has left
  130. Calvin has left
  131. Sam has joined
  132. Kev has joined
  133. qwestion has joined
  134. qwestion has left
  135. marc0s has left
  136. marc0s has joined
  137. Tobias has joined
  138. Tobias has left
  139. Tobias has joined
  140. floretta has left
  141. floretta has joined
  142. Kev has left
  143. adiaholic has left
  144. վարյա has left
  145. վարյա has joined
  146. adiaholic has joined
  147. marc0s has left
  148. marc0s has joined
  149. sbach has left
  150. adiaholic has left
  151. Tobias has left
  152. Tobias has joined
  153. qwestion has joined
  154. qwestion has left
  155. sbach has joined
  156. վարյա has left
  157. վարյա has joined
  158. debacle has left
  159. qwestion has joined
  160. adiaholic has joined
  161. Kev has joined
  162. adiaholic has left
  163. qwestion has left
  164. harry837374884 has left
  165. Sam has left
  166. Sam has joined
  167. qwestion has joined
  168. adiaholic has joined
  169. neshtaxmpp has left
  170. neshtaxmpp has joined
  171. konstantinos has joined
  172. Kev has left
  173. adiaholic has left
  174. qwestion has left
  175. Steve Kille has left
  176. Steve Kille has joined
  177. Seve has left
  178. harry837374884 has joined
  179. Half-Shot has left
  180. homebeach has left
  181. Matthew has left
  182. uhoreg has left
  183. Half-Shot has joined
  184. Matthew has joined
  185. homebeach has joined
  186. uhoreg has joined
  187. Sam has left
  188. adiaholic has joined
  189. Paganini has left
  190. emus has joined
  191. Sam has joined
  192. msavoritias has joined
  193. debacle has joined
  194. yushyin has left
  195. rebeld22 has left
  196. Sam has left
  197. Tobias has left
  198. Tobias has joined
  199. Tobias has left
  200. Tobias has joined
  201. wurstsalat has left
  202. Tobias has left
  203. Tobias has joined
  204. sbach has left
  205. Tobias has left
  206. Tobias has joined
  207. karoshi has joined
  208. Sam has joined
  209. Seve has joined
  210. sbach has joined
  211. Sam has left
  212. Kev has joined
  213. jcbrand has joined
  214. yushyin has joined
  215. adiaholic has left
  216. sbach has left
  217. sbach has joined
  218. MattJ moparisthebest: sounds fine to me, but - why?
  219. sbach has left
  220. sbach has joined
  221. Sam has joined
  222. goffi has joined
  223. djorz has joined
  224. adiaholic has joined
  225. vanitasvitae has left
  226. vanitasvitae has joined
  227. atomicwatch has left
  228. adiaholic has left
  229. jonas’ moparisthebest, to me, at least one canonical way to discover QUIC connectivity (e.g. SRV records) would seem sensible
  230. konstantinos has left
  231. Kev has left
  232. Fishbowler has left
  233. Fishbowler has joined
  234. msavoritias has left
  235. Sam has left
  236. msavoritias has joined
  237. msavoritias has left
  238. msavoritias has joined
  239. adiaholic has joined
  240. wurstsalat has joined
  241. djorz has left
  242. atomicwatch has joined
  243. Kev has joined
  244. adiaholic has left
  245. djorz has joined
  246. rion has joined
  247. adiaholic has joined
  248. Sam has joined
  249. nikhilmwarrier has joined
  250. Kev has left
  251. neshtaxmpp has left
  252. neshtaxmpp has joined
  253. adiaholic has left
  254. floretta has left
  255. adiaholic has joined
  256. Fishbowler has left
  257. Fishbowler has joined
  258. lskdjf has joined
  259. marc has joined
  260. djorz has left
  261. Maranda_ has joined
  262. floretta has joined
  263. Fishbowler has left
  264. Fishbowler has joined
  265. stp has joined
  266. qwestion has joined
  267. djorz has joined
  268. chipmnk has joined
  269. Andrzej has joined
  270. chipmnk has left
  271. nikhilmwarrier has left
  272. nikhilmwarrier has joined
  273. qwestion has left
  274. floretta has left
  275. floretta has joined
  276. Alex has joined
  277. SteveF has joined
  278. adiaholic has left
  279. Maranda_ has left
  280. Kev has joined
  281. stp has left
  282. djorz has left
  283. adiaholic has joined
  284. stp has joined
  285. qwestion has joined
  286. Andrzej has left
  287. djorz has joined
  288. bean has joined
  289. adiaholic has left
  290. marc has left
  291. Maskugatiger has joined
  292. marc has joined
  293. marc has left
  294. emus has left
  295. konstantinos has joined
  296. djorz has left
  297. adiaholic has joined
  298. Tobias has left
  299. Tobias has joined
  300. qwestion has left
  301. marc has joined
  302. adiaholic has left
  303. debacle has left
  304. adiaholic has joined
  305. floretta has left
  306. stp has left
  307. stp has joined
  308. adiaholic has left
  309. Maskugatiger has left
  310. Tim R has joined
  311. karoshi has left
  312. msavoritias has left
  313. thndrbvr has left
  314. thndrbvr has joined
  315. adiaholic has joined
  316. karoshi has joined
  317. վարյա has left
  318. վարյա has joined
  319. floretta has joined
  320. adiaholic has left
  321. msavoritias has joined
  322. xnamed has joined
  323. floretta has left
  324. qwestion has joined
  325. Sam has left
  326. sbach has left
  327. sbach has joined
  328. qwestion has left
  329. sbach has left
  330. sbach has joined
  331. sbach has left
  332. sbach has joined
  333. neshtaxmpp has left
  334. neshtaxmpp has joined
  335. qwestion has joined
  336. msavoritias has left
  337. Wojtek has joined
  338. qwestion has left
  339. emus has joined
  340. harry837374884 has left
  341. adiaholic has joined
  342. harry837374884 has joined
  343. msavoritias has joined
  344. qwestion has joined
  345. gooya has joined
  346. floretta has joined
  347. adiaholic has left
  348. Sam has joined
  349. adiaholic has joined
  350. qwestion has left
  351. վարյա has left
  352. վարյա has joined
  353. qwestion has joined
  354. qwestion has left
  355. debacle has joined
  356. konstantinos has left
  357. Sam has left
  358. karoshi has left
  359. qwestion has joined
  360. nikhilmwarrier has left
  361. nikhilmwarrier has joined
  362. Steve Kille has left
  363. Steve Kille has joined
  364. Steve Kille has left
  365. Steve Kille has joined
  366. vanitasvitae has left
  367. qwestion has left
  368. Steve Kille has left
  369. Steve Kille has joined
  370. qwestion has joined
  371. qwestion has left
  372. qwestion has joined
  373. Steve Kille has left
  374. Steve Kille has joined
  375. qwestion has left
  376. menel has left
  377. վարյա has left
  378. վարյա has joined
  379. restive_monk has joined
  380. qwestion has joined
  381. sbach has left
  382. sbach has joined
  383. qwestion has left
  384. qwestion has joined
  385. qwestion has left
  386. qwestion has joined
  387. qwestion has left
  388. lovetox has left
  389. karoshi has joined
  390. qwestion has joined
  391. konstantinos has joined
  392. qwestion has left
  393. harry837374884 has left
  394. Dele Olajide has joined
  395. lovetox has joined
  396. qwestion has joined
  397. qwestion has left
  398. harry837374884 has joined
  399. menel has joined
  400. neshtaxmpp has left
  401. neshtaxmpp has joined
  402. antranigv has joined
  403. lovetox has left
  404. adiaholic has left
  405. vanitasvitae has joined
  406. lovetox has joined
  407. adiaholic has joined
  408. msavoritias has left
  409. adiaholic has left
  410. menel has left
  411. menel has joined
  412. floretta has left
  413. Sam has joined
  414. adiaholic has joined
  415. Fishbowler has left
  416. adiaholic has left
  417. qwestion has joined
  418. Fishbowler has joined
  419. SteveF has left
  420. SteveF has joined
  421. antranigv has left
  422. SteveF has left
  423. SteveF has joined
  424. antranigv has joined
  425. Steve Kille has left
  426. Steve Kille has joined
  427. Steve Kille has left
  428. Steve Kille has joined
  429. վարյա has left
  430. վարյա has joined
  431. qwestion has left
  432. floretta has joined
  433. Sam has left
  434. Sam has joined
  435. msavoritias has joined
  436. vanitasvitae has left
  437. Wojtek has left
  438. msavoritias has left
  439. qwestion has joined
  440. Wojtek has joined
  441. neshtaxmpp has left
  442. neshtaxmpp has joined
  443. chipmnk has joined
  444. nikhilmwarrier has left
  445. qwestion has left
  446. qwestion has joined
  447. qwestion has left
  448. qwestion has joined
  449. sbach has left
  450. sbach has joined
  451. sbach has left
  452. sbach has joined
  453. adiaholic has joined
  454. qwestion has left
  455. qwestion has joined
  456. adiaholic has left
  457. wgreenhouse has left
  458. Vidak has left
  459. qwestion has left
  460. qwestion has joined
  461. wgreenhouse has joined
  462. adiaholic has joined
  463. vanitasvitae has joined
  464. qwestion has left
  465. theoneping has joined
  466. pablo has joined
  467. theoneping has left
  468. adiaholic has left
  469. qwestion has joined
  470. qwestion has left
  471. վարյա has left
  472. վարյա has joined
  473. qwestion has joined
  474. moparisthebest because the canonical way will be in (hopefully) xep-0156
  475. konstantinos has left
  476. pablo has left
  477. Zash > is there precedent Like, the core RFC defining both the TCP binding and the SRV discovery method?
  478. qwestion has left
  479. menel has left
  480. moparisthebest no, the opposite, *not* defining port binding or discovery, just saying "that's defined in $other-xep"
  481. menel has joined
  482. restive_monk has left
  483. antranigv has left
  484. antranigv has joined
  485. sbach has left
  486. sbach has joined
  487. qwestion has joined
  488. raghavgururajan has joined
  489. վարյա has left
  490. վարյա has joined
  491. nikhilmwarrier has joined
  492. restive_monk has joined
  493. Mx2 has left
  494. antranigv has left
  495. antranigv has joined
  496. harry837374884 has left
  497. neshtaxmpp has left
  498. neshtaxmpp has joined
  499. eevvoor has left
  500. antranigv has left
  501. qwestion has left
  502. eevvoor has joined
  503. antranigv has joined
  504. harry837374884 has joined
  505. msavoritias has joined
  506. Calvin has joined
  507. konstantinos has joined
  508. antranigv has left
  509. Sam has left
  510. Dele Olajide has left
  511. adiaholic has joined
  512. Sam has joined
  513. Mx2 has joined
  514. վարյա has left
  515. վարյա has joined
  516. neshtaxmpp has left
  517. chipmnk has left
  518. chipmnk has joined
  519. neshtaxmpp has joined
  520. Sam has left
  521. Sam has joined
  522. վարյա has left
  523. վարյա has joined
  524. antranigv has joined
  525. restive_monk has left
  526. jinxd has joined
  527. antranigv has left
  528. Paganini has joined
  529. rebeld22 has joined
  530. վարյա has left
  531. վարյա has joined
  532. sbach has left
  533. sbach has joined
  534. msavoritias has left
  535. neshtaxmpp has left
  536. neshtaxmpp has joined
  537. raghavgururajan has left
  538. restive_monk has joined
  539. antranigv has joined
  540. antranigv has left
  541. վարյա has left
  542. վարյա has joined
  543. raghavgururajan has joined
  544. antranigv has joined
  545. վարյա has left
  546. վարյա has joined
  547. վարյա has left
  548. վարյա has joined
  549. msavoritias has joined
  550. konstantinos has left
  551. nikhilmwarrier has left
  552. adiaholic has left
  553. restive_monk has left
  554. adiaholic has joined
  555. Vidak has joined
  556. msavoritias has left
  557. Titi has left
  558. atomicwatch has left
  559. atomicwatch has joined
  560. Sam has left
  561. վարյա has left
  562. վարյա has joined
  563. Sam has joined
  564. nikhilmwarrier has joined
  565. Thilo Molitor has left
  566. Thilo Molitor has joined
  567. karoshi has left
  568. karoshi has joined
  569. moparisthebest very interesting XMPP vuln in Zoom's implementation https://bugs.chromium.org/p/project-zero/issues/detail?id=2254
  570. karoshi has left
  571. Sam has left
  572. sbach has left
  573. sbach has joined
  574. karoshi has joined
  575. sbach has left
  576. sbach has joined
  577. konstantinos has joined
  578. Sam has joined
  579. restive_monk has joined
  580. pablo has joined
  581. adiaholic has left
  582. floretta has left
  583. Sam has left
  584. Sam has joined
  585. konstantinos has left
  586. adiaholic has joined
  587. restive_monk has left
  588. msavoritias has joined
  589. emus moparisthebest: is that something that should have attention from our side?
  590. floretta has joined
  591. sbach has left
  592. sbach has joined
  593. Sam has left
  594. pablo has left
  595. vanitasvitae The XML parser stuff might be interesting
  596. vanitasvitae As the stanza smuggling attack could also be used on other clients
  597. vanitasvitae /servers
  598. Sam has joined
  599. flow It appears that Gloox rolled much of its Unicode and XML parsing code itself, which makes such vulnerabilities more likely. Not using existing libs may be fine if you target constraint low-end embedded devices. But the Zoom client typically runs on none of those
  600. vanitasvitae Ah, I thought gloox was an XML parser lib, not an XMPP client library :D
  601. vanitasvitae Well, apparently its both :P
  602. flow If we want to spin the story away from "XMPP is so complicated because it uses Unicode and XML, hence there are such security issues", then we should point out that there are robust, sound, and battle tested libraries for the heavy-lifting of the low-level stuff, which, if used, make such issues much less likely
  603. flow In fact the Project Zero report even mentions (and praises) ejabberd for its validation
  604. antranigv has left
  605. pablo has joined
  606. antranigv has joined
  607. restive_monk has joined
  608. djorz has joined
  609. derdaniel has joined
  610. adiaholic has left
  611. coleman has left
  612. antranigv has left
  613. antranigv has joined
  614. adiaholic has joined
  615. derdaniel moparisthebest: am I remembering this correctly that you had some quic to xmpp c2s termination proxy thing?
  616. derdaniel has left
  617. Daniel has joined
  618. moparisthebest flow, idk seems like most of our vulns have been *because* of using existing XML libs that support way-more-than-XMPP-needs
  619. Daniel A found it. Never mind
  620. moparisthebest yep https://github.com/moparisthebest/xmpp-proxy
  621. Sam > Client messages are sent over the same stream connection as control messages from the server. This specifically interests me and is something I've thought about separating in the past. Maybe multiplexed quic streams could do this as an additional separation if security
  622. antranigv has left
  623. xecks has left
  624. xecks has joined
  625. sbach has left
  626. sbach has joined
  627. Daniel Maybe that's a naive question but would we use raw quic or rather something bosh over HTTP/3?
  628. jonas’ the former
  629. jonas’ use QUIC as a modern replacement for TCP+TLS
  630. jonas’ don't stuff HTTP in there, that's just needless overhead
  631. moparisthebest I think ^ until websockets-over-http3 is standardized and then we can use that to evade the evil firewalls
  632. jonas’ aaand here I'm sad again
  633. moparisthebest what's sad about that? a client tries to connect all the ways, it'd probably prefer plain QUIC, but if blocked, go to other methods?
  634. jonas’ I'd rather have clients take a pickaxe and smash that firewall to pieces
  635. jonas’ *ahem*
  636. moparisthebest I can't disagree with that
  637. jonas’ also, all the good technology going to waste just because some idiot firewalls
  638. moparisthebest *but* XMPP has to *just work* like Signal does, users are uninterested with long explanations about how they should talk to their network administrator
  639. jonas’ so much damage for nothing
  640. jonas’ see, I'll rather clean the kitchen than continuing to think about this
  641. moparisthebest I'm curious to see if QUIC/http3 itself will actually ever make it through firewalls
  642. Daniel So what are the bits (roughly) that a xep would have to specify?
  643. moparisthebest I reckon a ton of networks currently block UDP on port 443
  644. jonas’ moparisthebest, google will make it happen, one way or another
  645. jonas’ "hey enterprise, you're using gmail corporate, right? well it will stop working if you don't allowlist udp 443"
  646. debacle has left
  647. debacle has joined
  648. moparisthebest Daniel, honestly hardly anything, tl;dr "connect and validate cert like TLS, use bi-directional streams only, each stream is treated as already authenticated as the cert implies, open as many as you want for 'different connections', use connection roaming if you can </eof>"
  649. antranigv has joined
  650. djorz has left
  651. moparisthebest in some future where google has ensured UDP on 443 always works we could recommend not using stream-management but I think we are far off there (for when you are disconnected and can only connect back over TCP+TLS)
  652. Daniel So there wouldn't be any type of a stanza is a frame or something like that? (asking as someone who doesn't know what a frame is)
  653. Steve Kille has left
  654. moparisthebest nope, to application code it's identical to a TCP stream
  655. nikhilmwarrier has left
  656. moparisthebest there are other types of "transports" you can use under a QUIC session but I think they are uninteresting for XMPP, there are one-way streams for instance
  657. Daniel ok. i thought that maybe 'frames' could take over some part of stream managment acks or so
  658. Dele Olajide has joined
  659. restive_monk has left
  660. Zash My instinct would be that those are orthogonal things at different layers.
  661. moparisthebest https://docs.rs/quinn/latest/quinn/struct.Connection.html#method.send_datagram
  662. moparisthebest that's the other thing you can do besides bi-directional and uni-directional streams
  663. moparisthebest but it's basically sending a UDP packet, un-ordered, no guarantees on delivery, must be "small enough"
  664. moparisthebest Daniel, after tying up some loose ends and writing the XEPs I plan to try to expose xmpp-proxy as a java library and make it take over for Conversation's network code, giving it the ability to do QUIC and Websockets all in one go, no idea how this will work out though :)
  665. moparisthebest it sounds like one of those things that is easier said than done
  666. Steve Kille has joined
  667. Dele Olajide has left
  668. Dele Olajide has joined
  669. Dele Olajide has left
  670. Dele Olajide has joined
  671. debacle has left
  672. floretta has left
  673. neshtaxmpp has left
  674. neshtaxmpp has joined
  675. restive_monk has joined
  676. flow Daniel, I'd expect XMPP over QUIC feels just like XMPP over TCP+TLS
  677. flow so instead of a TlsSocket where you shove raw bytes into and read from, you have a QuickSocket
  678. flow you'd still want to use stream mangement, even if QUIC provides this functionality already, if you want to be able to resume a stream over a different transport mechanism
  679. moparisthebest yep ^
  680. flow of course you could re-use QUIC resumption is your transport stays QUIC during a connectivity change
  681. moparisthebest so do we know of any XMPP clients that use gloox ? or that parse ascii vs UTF-8 ? seems like this attack is generic in that way
  682. Daniel > so instead of a TlsSocket where you shove raw bytes into and read from, you have a QuickSocket That's what I initially hoped but the existing Java quic libraries make this all look a little bit more complex than that
  683. jinxd has left
  684. flow isn't there just one QUIC library for java?
  685. moparisthebest you have to be careful searching for them, old ones say QUIC but mean HTTP3 because that's what it was before it was re-named
  686. flow moparisthebest, fwiw, these are the reverse dependencies of gloox that ::gentoo nows: https://qa-reports.gentoo.org/output/genrdeps/rindex/net-libs/gloox
  687. adiaholic has left
  688. flow you could probably do a similar search for e.g. debian packages
  689. restive_monk has left
  690. djorz has joined
  691. Daniel > isn't there just one QUIC library for java? flow: maybe? Which one are you talking about?
  692. Dele Olajide has left
  693. adiaholic has joined
  694. moparisthebest hmm gloox hasn't had an update since 2020, wonder if it's still developed or if they were given a heads up, will see if the JID works :)
  695. debacle has joined
  696. flow https://github.com/ptrd/kwik
  697. Dele Olajide has joined
  698. Tim R has left
  699. Tim R has joined
  700. Tim R has left
  701. moparisthebest > The TLS library used by Kwik is also "home made"
  702. moparisthebest hard pass
  703. Wojtek has left
  704. karoshi has left
  705. krauq has left
  706. xnamed has left
  707. Zash > it's encrypted and secured by TLS (not as a separate layer, but embedded in the protocol) AIUI you can't use existing TLS libraries as-is unless they have QUIC support
  708. adiaholic has left
  709. marc has left
  710. adiaholic has joined
  711. xnamed has joined
  712. moparisthebest right, but all the maintained ones have that by now
  713. coleman has joined
  714. moparisthebest Kwik literally says not to use it for security sensitive things, yet it's a TLS replacement, footgun much
  715. jgart has left
  716. marc has joined
  717. Alex Memberbot is online for our Q2 2022 elections.
  718. restive_monk has joined
  719. sbach has left
  720. sbach has joined
  721. sbach has left
  722. sbach has joined
  723. adiaholic has left
  724. pep. Gloox is used by renga, on haiku
  725. pep. ^ pulkomandy
  726. pep. Dunno if he's here or just jdev
  727. moparisthebest thanks pep. , joined their muc and let them know
  728. Sam has left
  729. adiaholic has joined
  730. moparisthebest gloox dev's JID is alive, no response yet, I'll say in here if I get one
  731. stpeter has joined
  732. debacle has left
  733. Sam has joined
  734. xnamed has left
  735. xnamed has joined
  736. msavoritias has left
  737. floretta has joined
  738. Sam has left
  739. krauq has joined
  740. jinxd has joined
  741. adiaholic has left
  742. neshtaxmpp has left
  743. adiaholic has joined
  744. neshtaxmpp has joined
  745. Sam has joined
  746. konstantinos has joined
  747. msavoritias has joined
  748. neshtaxmpp has left
  749. neshtaxmpp has joined
  750. Tim R has joined
  751. flow moparisthebest, what exactly did you ask gloox's dev?
  752. moparisthebest > hi! I got your JID from the gloox website, wondered if you were made aware of a recent vulnerability found in gloox or not? https://bugs.chromium.org/p/project-zero/issues/detail?id=2254
  753. karoshi has joined
  754. flow I'd somehow assume that he is aware of this. I wonder if gloox being gpl even suggests that zoom bought a license from him
  755. flow or if they used gloox under the GPL, which means free zoom source for everyone!!!
  756. flow Daniel, fwiw: https://github.com/ptrd/kwik/blob/3458cd17f76d9cd0ad0b17536af6bcd03bb96081/src/main/java/net/luminis/quic/run/SampleClient.java#L57-L61
  757. lovetox has left
  758. Daniel flow: 👍
  759. flow now of course, the question is if kwik is portable and runs on android
  760. coleman has left
  761. coleman has joined
  762. moparisthebest Daniel: please pay attention to "Kwik implemented it's own TLS lib and should not be used" from it's readme
  763. raghavgururajan has left
  764. Daniel Yes I saw that. I have no plans on using that
  765. flow yep, that was just to show that quic client libraries provide a stream abstraction of the quic transport
  766. moparisthebest Cool, easy to miss, scares me they don't put that up top :/
  767. moparisthebest I'll soon see how much of a nightmare interfacing rust and Java/Android is in practice :'(
  768. stpeter Wow, is Jakob Schröter still maintaining gloox? He's been working on that for ages.
  769. xnamed has left
  770. flow he certainly has
  771. stpeter I mean, we had a commercial license for it at JINC circa 2004 (IIRC).
  772. moparisthebest You can tell it's been ages because he uses SVN :)
  773. stpeter heh
  774. moparisthebest Could be CVS I guess
  775. Kev > I'd somehow assume that he is aware of this. I wonder if gloox being gpl even suggests that zoom bought a license from him I know Jakob selling licenses was a thing, I would assume Zoom did (shame they didn't pick Swiften :D)
  776. *IM* has left
  777. Kev Ah, Peter got here before me.
  778. lovetox has joined
  779. stpeter waves to Kev
  780. marc has left
  781. Kev waves back
  782. moparisthebest Kev: what does swiften use for parsing XML?
  783. moparisthebest Seems like this class of bug could be rather widespread
  784. moparisthebest I mean hopefully no XMPP clients are downloading and running software but the impersonation aspect
  785. Kev Expat or libxml2 at user's choice.
  786. Kev libxml2 being the better choice.
  787. Kev s/user's choice/dev's choice/
  788. harry837374884 has left
  789. marc has joined
  790. Dele Olajide has left
  791. harry837374884 has joined
  792. moparisthebest Would be interesting to do an inventory of all the various XML parsers and see if any parse differently like this
  793. flow Kev, why libxml2 >> Expat?
  794. moparisthebest And by interesting I mean I would enjoy reading someone else's summary because that seems like an absolutely massive amount of work :D
  795. papatutuwawa has joined
  796. adiaholic has left
  797. sbach has left
  798. sbach has joined
  799. sbach has left
  800. sbach has joined
  801. adiaholic has joined
  802. Ingolf has left
  803. adiaholic has left
  804. Ingolf has joined
  805. Tobias has left
  806. Tobias has joined
  807. Andrzej has joined
  808. Tobias has left
  809. Tobias has joined
  810. Tobias has left
  811. Tobias has joined
  812. Dele Olajide has joined
  813. antranigv has left
  814. harry837374884 has left
  815. harry837374884 has joined
  816. Andrzej has left
  817. Tim R has left
  818. Kev flow: I honestly don't remember why I think that :D
  819. djorz has left
  820. floretta has left
  821. Tobias has left
  822. Tobias has joined
  823. antranigv has joined
  824. stpeter has left
  825. Sam has left
  826. Tim R has joined
  827. Sam has joined
  828. adiaholic has joined
  829. chipmnk has left
  830. chipmnk has joined
  831. antranigv has left
  832. antranigv has joined
  833. antranigv has left
  834. antranigv has joined
  835. Tobias has left
  836. Tobias has joined
  837. moparisthebest oh, that's also an expat bug (reported, was it fixed?) and a bug in ejabberd's fast_xml, fun stuff
  838. moparisthebest so much for flow 's "well tested libraries" eh :P
  839. Tobias has left
  840. Tobias has joined
  841. neshtaxmpp has left
  842. neshtaxmpp has joined
  843. karoshi has left
  844. moparisthebest expat CVEs: https://nvd.nist.gov/vuln/detail/CVE-2022-25236 / https://nvd.nist.gov/vuln/detail/CVE-2022-25235
  845. jonas’ what are we looking at? anything I should watch out for in rxml? dino doesn't have sufficient scrollback and I am too tired to open my poezio shell and scroll.
  846. moparisthebest jonas’, about, 3 or 4 XML-specific bugs not counting the zoom RCE from https://bugs.chromium.org/p/project-zero/issues/detail?id=2254
  847. moparisthebest and yes re: rxml, basically does it parse these the same way expat does, what does it do in the face of utf-8 nonsense etc
  848. moparisthebest in english the bug is roughly "can you pass a single stanza through a server that a client interprets as more-than-one stanza"
  849. moparisthebest if so, since the server isn't checking the inner one, you can spoof literally anything to the client
  850. emus *Those are the accepted contributors for the XSF!!!* *A warm welcome again Patiga and Pawbud! * *I will communicated via our channels soon! Are there any annotations here?* Patiga: More flexibility in dino file transfers Resource-wise, messenger applications tend to be on the lightweight side of the spectrum. This drastically changes when file transfers are added to the equation. File transfers can introduce arbitrary more resource-usage, both on network and data storage aspects. To alleviate this issue, stateless file sharing empowers the user to make informed decisions on which files to load. Deliverables • Unified handling of http and jingle (peer-to-peer) file transfers • Enable sending metadata alongside files • Thumbnail previews for images https://summerofcode.withgoogle.com/programs/2022/projects/z9ixHTWZ Pawbud: Adding support for Audio/Video Communication via Jingle The idea is to add support for Audio & Video communication through the Jingle protocol. The goal is to create a Converse plugin that adds the ability to make one-on-one audio/video calls from Converse. The audio/video calls will be compatible with other XMPP clients. https://summerofcode.withgoogle.com/programs/2022/projects/0nRwZN19
  851. jonas’ moparisthebest, well, rxml uses rust strings, and as I don't have any unsafe { from_utf8_unchecked(..) } in there, I should be golden on the UTF-8 front I think.
  852. adiaholic has left
  853. adiaholic has joined
  854. moparisthebest I suspect so also
  855. jonas’ oh god
  856. jonas’ the gloox/expat mixture there is explosive, and a nice find
  857. jonas’ meanwhile, people complaining that rxml refuses <?xml-stylesheet ..?>
  858. konstantinos has left
  859. mh has left
  860. Zash muh nice-looking atom feeds!
  861. moparisthebest I'm pretty much completely convinced at this point that using generic XML libraries for XMPP is a giant mistake
  862. jonas’ said the one dissecting XMPP streams with .find() ;P
  863. jonas’ (which is just barely better)
  864. moparisthebest I agree, I just think it's better than pulling in expat, rxml didn't exist at that point :P
  865. junaid has joined
  866. jonas’ may 11 vs. apr 14, you win, but only barely
  867. sbach has left
  868. sbach has joined
  869. mh has joined
  870. sbach has left
  871. moparisthebest besides, mine sits in between the server and the client, so I've got parsers on both ends, it doesn't actually matter if I forward crap :D
  872. sbach has joined
  873. Zash Wouldn't .find([<>]) be sensitive to broken half of UTF-8 sequences messing with it?
  874. jonas’ Zash, uhhhh
  875. jonas’ iiiinteresting
  876. antranigv has left
  877. jonas’ though that'd then drop dead on the real parsers on the other end (if it's not gloox, apparently. or expat?)
  878. Zash which was what I gathered from that Zoom issue
  879. jonas’ and another point in moparisthebest's favour is that initially, rxml had its own utf8 decoder, which wasn't just slow but also a source of errors (most of which *probably* have been found by fuzzing, but you never know)
  880. jonas’ and another point in moparisthebest's favour is that initially, rxml had its own utf8 decoder, which wasn't just slow but also a source of errors (most of which *probably* had eventually been found by fuzzing, but you never know)
  881. moparisthebest that scared me and is why I didn't consider using it originally, but now you said that's gone, and I just haven't went back and looked again yet
  882. konstantinos has joined
  883. moparisthebest I'd only be using it for websocket <-> regular xmpp conversions, the only other thing I use find() for is extracting the target domain from <stream to= which even ejabberd doesn't use a proper XML parser on, it's fine :D
  884. floretta has joined
  885. moparisthebest otherwise it doesn't parse any XML, that's the whole point even
  886. jonas’ doesn't it do that to enforce stanza size limits?
  887. Half-Shot has left
  888. homebeach has left
  889. Matthew has left
  890. uhoreg has left
  891. Half-Shot has joined
  892. Matthew has joined
  893. homebeach has joined
  894. uhoreg has joined
  895. xnamed has joined
  896. Tobias has left
  897. Tobias has joined
  898. moparisthebest no, it enforces stanza size limits without parsing XML
  899. jonas’ it counts delimiters, which for me counts as parsing XML
  900. moparisthebest it spits out whole stanzas at a time, that may or may not be valid XML, but they are complete stanzas under the specified length limit
  901. adiaholic has left
  902. mh has left
  903. djorz has joined
  904. moparisthebest it's only counting, forward-only (never backtracking), not allocating ever, and stops at a pre-defined limit, I know these are famous last words but I don't think it could ever be vulnerable to anything :)
  905. jonas’ fun fact: a bug in the depth counting in aioxmpp led to a viable remote stanza smuggling attack :)
  906. karoshi has joined
  907. moparisthebest but that's an XML parser no? this is "here is a byte slice, if it's valid XML it's a whole stanza, not a partial one, have fun"
  908. jonas’ that was actually after the xml parser
  909. konstantinos has left
  910. jonas’ just counting startelement/endelement can be surprisingly tricky
  911. adiaholic has joined
  912. jonas’ https://github.com/horazont/aioxmpp/commit/29ff0838a40f58efe30a4bbcea95aa8dab7da475 fwiw
  913. moparisthebest the point is you can then use a dom parser, so it's basically like websocket then, you don't need a SAX parser to tell you when a stanza begins/ends
  914. moparisthebest websocket also says "here is a byte slice, if it's valid XML it's a whole stanza, not a partial one, have fun"
  915. mh has joined
  916. Tobias has left
  917. Tobias has joined
  918. adiaholic has left
  919. Dele Olajide has left
  920. adiaholic has joined
  921. flow moparisthebest, at leat someone will look at the libraries. if everyone uses their own implemention, then bugs will propably go unnoticed forever. Note that I was mentally excluding all C/C++ kind of libaries. I am not sure if any network facing application should ever use those, especially clients, but proably also server applications
  922. sernick has joined
  923. moparisthebest How many years have people looked at expat, how many CVEs in the last year
  924. moparisthebest But yes I agree in general that well tested XMPP-specific libraries in sane languages should be used widely
  925. jonas’ I haven't yet seen anything like rxml in other languages
  926. jonas’ maybe I should see if I can make a C interface for it?
  927. flow while I don't see the need for XMPP specific XML and Unicode libraries, I am happy that we can at least aggree that code should be well-tested
  928. flow that said, I wouldn't mind if XML parsers had different module like "XMPP restricted"
  929. djorz has left
  930. flow I know the evil unrestricted code would be still there, and depending on the paranoia level, this will bother some
  931. marc has left
  932. marc has joined
  933. Sam has left
  934. atomicwatch has left
  935. Yagiza has left
  936. harry837374884 has left
  937. Sam has joined
  938. sernick has left
  939. moparisthebest C devs, the theory: I know how to manage my own memory, I won't write unsafe code
  940. atomicwatch has joined
  941. moparisthebest C devs, the practice: 85% of security vulnerabilites are unsafe memory management
  942. moparisthebest XMPP devs, the theory: I know how to properly configure expat/my XML lib
  943. moparisthebest XMPP devs, the practice: 85% of security vulnerabilities are mis-configured expat (ok I made up this % but I bet it's close :P)
  944. Half-Shot has left
  945. homebeach has left
  946. Matthew has left
  947. uhoreg has left
  948. Half-Shot has joined
  949. Matthew has joined
  950. homebeach has joined
  951. uhoreg has joined
  952. flow Well, no, I actually believe first-time XMPP devs will often just grab the XML parser and be happy that it works
  953. flow So we do have a similar situation here as we have with XHTML-IM: people just use the first tool that comes to their mind, and are happy that it works
  954. flow that said, I believe software, especially libraries should be as restrictive as possible per default, and "explode" if the boundaries of the restrictions are crossed
  955. flow then people can decide if they want to relax the restrictions
  956. lovetox so lets deprecate xml parsers
  957. lovetox every developer needs to write his own from now on
  958. flow I don't see how XML libraries specialized for XMPP would help, in fact, I fear that this would further fragment the software ecosystem
  959. moparisthebest flow, would you call prosody and ejabberd developers "first-time devs" ? because both have had misconfigured-expat bugs in the last few months
  960. restive_monk has left
  961. flow but, again, I wouldn't mind XML parser being restrictive by default and providing specialized modes
  962. moparisthebest we can keep pretending like it won't ever happen again but we all know it will
  963. flow moparisthebest, well, I did not claim that expert users do not run into this
  964. moparisthebest it's not the fault of any of these devs by the way, it's impossible to sanely configure a beast like that
  965. flow that statement strikes me as an exaggeration
  966. flow but that may be because I am happy with my Java parsers :)
  967. moparisthebest ok, let's revisit it if we can go a year without expat problems, let me know :P
  968. flow (java xml parser exploit in Smack in 5, 4, 3, 2, …
  969. flow (java xml parser exploit in Smack in 5, 4, 3, 2, …)
  970. flow sure, but I wonder if libxml2 isn't really the go to C(/C++) XML parser
  971. jonas’ isn't expat the only SAX-capable C/C++ XML parser?
  972. debacle has joined
  973. flow hmm there is also Xerces
  974. flow which claims to be SAX
  975. jonas’ which is even more exotic to me than expat fwiw
  976. jonas’ (also mind that expat is backing python's xml module)
  977. flow dunno, i've heard and stumbled over xerces in a few places
  978. jonas’ first time I recall hearing about it
  979. harry837374884 has joined
  980. flow yeah, but I think it's the java flavor of xerces
  981. flow xerces-c doesn't seem to have that much traction: https://github.com/apache/xerces-c/graphs/contributors
  982. flow compared with
  983. flow https://github.com/libexpat/libexpat/graphs/contributors
  984. flow https://github.com/GNOME/libxml2/graphs/contributors
  985. Kev So, listen, I've just had a completely novel and crazy idea. How about we use something other than XML? I've heard great things about YAML...
  986. flow cap'n'proto ftw
  987. sbach has left
  988. sbach has joined
  989. adiaholic has left
  990. moparisthebest wow, this is worse than I thought, it's simple math really, let's guess which has more bugs:
  991. moparisthebest $ ./scc libxml2/ ─────────────────────────────────────────────────────────────────────────────── Language Files Lines Blanks Comments Code Complexity ─────────────────────────────────────────────────────────────────────────────── C 107 279146 24353 46516 208277 55075 C Header 66 16451 1547 4402 10502 308
  992. moparisthebest expat: C Header 23 3464 331 1545 1588 40 C 22 29409 2162 2838 24409 4621
  993. moparisthebest rxml: Rust 25 16202 757 1944 13501 444
  994. moparisthebest it's *absolutely astounding* that libxml2 has 10x the C code that expat does holy hell
  995. jonas’ well, expat doesn't have a DOM, does it. nor does it do xslt or xpath.
  996. moparisthebest wonder how it factors code complexity cause each one is a few orders of magnitude off haha
  997. moparisthebest jonas’, challenge: expat-compatible API for rxml, just no-op all the configuration functions :D
  998. djorz has joined
  999. jonas’ moparisthebest, I have that on my todo, actually, but only for lua-expat :)
  1000. Fishbowler has left
  1001. Fishbowler has joined
  1002. restive_monk has joined
  1003. neshtaxmpp has left
  1004. neshtaxmpp has joined
  1005. restive_monk has left
  1006. atomicwatch has left
  1007. moparisthebest flow, xerces: Java 832 260492 31434 86353 142705 30512 almost as many lines as libxml2 but 8x the files, god bless java
  1008. nuron has left
  1009. emus Welcome our Google Summer of Code contributors! - Patiga will work on more flexible file transfers in #Dino https://summerofcode.withgoogle.com/programs/2022/projects/z9ixHTWZ - PawBud will work towards adding support for A/V #communication via #Jingle in #ConverseJS https://summerofcode.withgoogle.com/programs/2022/projects/0nRwZN19 #XMPP #GSoC #Google #Standards https://fosstodon.org/web/@xmpp/108358826402429966 https://twitter.com/xmpp/status/1529199174729728000
  1010. nuron has joined
  1011. Tim R has left
  1012. rebeld22 emus: No one wants to work for Google.
  1013. david has joined
  1014. david has left
  1015. jonas’ rebeld22, excuse me what?
  1016. jonas’ that's not exactly "welcoming"
  1017. david has joined
  1018. david has left
  1019. wgreenhouse has left
  1020. arc has joined
  1021. papatutuwawa has left
  1022. rebeld22 jonas’: Sorry, but what you mean?
  1023. wgreenhouse has joined
  1024. emus I assume it's time to say good night! 👻️
  1025. thndrbvr has left
  1026. thndrbvr has joined
  1027. Sam has left
  1028. restive_monk has joined
  1029. Sam has joined
  1030. atomicwatch has joined
  1031. msavoritias has left
  1032. adiaholic has joined
  1033. adiaholic has left
  1034. Dele Olajide has joined
  1035. bean has left
  1036. djorz has left
  1037. Sam has left
  1038. djorz has joined
  1039. Sam has joined
  1040. Kev has left
  1041. restive_monk has left
  1042. Kev has joined
  1043. Kev has left
  1044. Kev has joined
  1045. emus I'm in my bed already, but if someone volunteers to guide the user that unspecified asks for help below the Fosstodon tweet - that would be really great! 🙏❤
  1046. sbach has left
  1047. sbach has joined
  1048. antranigv has joined
  1049. qy jonas’, known troll-type
  1050. pablo has left
  1051. qy ooh, finally an implementation of SFS
  1052. qy good luck, Pagita
  1053. qy good luck, Patiga!
  1054. floretta has left
  1055. moparisthebest ooh, that is full of foot-guns of the unlimited-sized-stream variety ala https://www.moparisthebest.com/httppppppppppp-upload/
  1056. qy moparisthebest, maybe you should find them on xmpp and help out?
  1057. qy will there be a muc for this work, or a repo
  1058. moparisthebest dino devs have a handle on it :D
  1059. qy heh
  1060. marc has left
  1061. marc has joined
  1062. atomicwatch has left
  1063. Kev has left
  1064. antranigv has left
  1065. Mx2 has left
  1066. wgreenhouse has left
  1067. debacle has left
  1068. *IM* has joined
  1069. Calvin has left
  1070. Tobias has left
  1071. adiaholic has joined
  1072. menel has left
  1073. antranigv has joined
  1074. wgreenhouse has joined
  1075. adiaholic has left
  1076. pablo has joined
  1077. coleman has left
  1078. coleman has joined
  1079. վարյա has left
  1080. վարյա has joined
  1081. neshtaxmpp has left
  1082. neshtaxmpp has joined
  1083. marc has left
  1084. djorz has left
  1085. antranigv has left
  1086. SteveF has left
  1087. pjn has left
  1088. Dele Olajide has left
  1089. pjn has joined
  1090. goffi has left
  1091. Kev has joined
  1092. floretta has joined
  1093. djorz has joined
  1094. neshtaxmpp has left
  1095. Kev has left
  1096. sbach has left
  1097. sbach has joined
  1098. david has joined
  1099. david has left
  1100. jinxd has left
  1101. jgart has joined
  1102. Dele Olajide has joined
  1103. emus has left
  1104. jgart has left
  1105. Titi has joined
  1106. xnamed has left
  1107. adiaholic has joined
  1108. jgart has joined
  1109. adiaholic has left
  1110. jgart has left
  1111. floretta has left
  1112. karoshi has left
  1113. Kev has joined
  1114. floretta has joined
  1115. xnamed has joined
  1116. neshtaxmpp has joined
  1117. adiaholic has joined
  1118. Mx2 has joined
  1119. Dele Olajide has left
  1120. lskdjf has left
  1121. djorz has left
  1122. adiaholic has left
  1123. antranigv has joined
  1124. neshtaxmpp has left
  1125. neshtaxmpp has joined
  1126. pjn has left
  1127. antranigv has left
  1128. antranigv has joined
  1129. pjn has joined
  1130. Kev has left
  1131. floretta has left
  1132. floretta has joined
  1133. Kev has joined
  1134. pablo has left
  1135. վարյա has left
  1136. վարյա has joined
  1137. sbach has left
  1138. sbach has joined
  1139. sbach has left
  1140. sbach has joined
  1141. Kev has left
  1142. Kev has joined