XSF Discussion - 2022-07-02

  1. raghavgururajan

    So, jabber.org is no longer owned by a company now?

  2. raghavgururajan

    If so, it'd be great to migrate xmpp.org to jabber.org, IMO. :)

  3. moparisthebest

    raghavgururajan: the trademark jabber is still owned by Cisco though, just stop using it

  4. raghavgururajan

    moparisthebest: I see. I thought TMs expire after certain years.

  5. Guus

    There are a couple of very useful online scanners for XMPP, for features and TLS compatibility, but is there also an XMPP vulnerability scanner? Something that scans domains for known issues?

  6. raghavgururajan

    Guus: [1] https://xmpp.net [2] https://compliance.conversations.im/

  7. raghavgururajan

    Guus: Oh, never mind. Misunderstood your message.

  8. guus.der.kinderen

    Yup, those were the ones that I was referring to as 'very useful scanners. :)

  9. MattJ

    guus.der.kinderen: do you have any specific vulnerabilities in mind?

  10. emus

    This Newsletter release we cannot rely on wurstsalat updating the XEP secrion. Hence, is there someone who can volunteer to update the xep development for June? That would be really great!

  11. guus.der.kinderen

    MattJ: Nothing specific, no, but I would not be surprised if we could easily come up with a number of things worthwhile checking for. Open in-band registration without any kind of out-of-band verification, specific server-sided vulnerabilities that Ge0rG and moparisthebest undoubtedly have many listings from, etc.

  12. MattJ

    My feeling is that if you want those things, they would be better as part of an existing security scanner framework

  13. Guus

    That's why I'm asking. The grander scheme was to see if we can add a preexisting XMPP scanner to the KAT framework that's being open sourced by Dutch government.

  14. Ge0rG

    Guus: surprisingly, I don't have any server vulnerabilities on my hands, and I only know of one evil OOM DoS attack

  15. Ge0rG

    There are so many exciting things I'd like to develop - or rather get developed by a competent student in exchange for credit points

  16. L29Ah

    credit points huh

  17. L29Ah

    that's even beyond food stamps

  18. Ge0rG

    Well, I could even offer money to German students interested in security, but not for xmpp

  19. Zash

    maybe it holds up better vs the inflation

  20. moparisthebest

    Some things you can't really scan for though, like if they are vulnerable to a memory dos

  21. Ge0rG

    What about some EXI or SOAP instead?

  22. Ge0rG

    moparisthebest: it depends on how long you scan 😁

  23. Zash

    Aren't there things that compare distro package management inventory against CVE databases?

  24. moparisthebest

    Sure you can attack but not really scan

  25. Ge0rG

    Zash: yeah, need to run those on the server though