-
raghavgururajan
So, jabber.org is no longer owned by a company now?
-
raghavgururajan
If so, it'd be great to migrate xmpp.org to jabber.org, IMO. :)
-
moparisthebest
raghavgururajan: the trademark jabber is still owned by Cisco though, just stop using it
-
raghavgururajan
moparisthebest: I see. I thought TMs expire after certain years.
-
Guus
There are a couple of very useful online scanners for XMPP, for features and TLS compatibility, but is there also an XMPP vulnerability scanner? Something that scans domains for known issues?
-
raghavgururajan
Guus: [1] https://xmpp.net [2] https://compliance.conversations.im/
-
raghavgururajan
Guus: Oh, never mind. Misunderstood your message.
-
guus.der.kinderen
Yup, those were the ones that I was referring to as 'very useful scanners. :)
-
MattJ
guus.der.kinderen: do you have any specific vulnerabilities in mind?
-
emus
This Newsletter release we cannot rely on wurstsalat updating the XEP secrion. Hence, is there someone who can volunteer to update the xep development for June? That would be really great!
-
guus.der.kinderen
MattJ: Nothing specific, no, but I would not be surprised if we could easily come up with a number of things worthwhile checking for. Open in-band registration without any kind of out-of-band verification, specific server-sided vulnerabilities that Ge0rG and moparisthebest undoubtedly have many listings from, etc.
-
MattJ
My feeling is that if you want those things, they would be better as part of an existing security scanner framework
-
Guus
That's why I'm asking. The grander scheme was to see if we can add a preexisting XMPP scanner to the KAT framework that's being open sourced by Dutch government.
-
Ge0rG
Guus: surprisingly, I don't have any server vulnerabilities on my hands, and I only know of one evil OOM DoS attack
-
Ge0rG
There are so many exciting things I'd like to develop - or rather get developed by a competent student in exchange for credit points
-
L29Ah
credit points huh
-
L29Ah
that's even beyond food stamps
-
Ge0rG
Well, I could even offer money to German students interested in security, but not for xmpp
-
Zash
maybe it holds up better vs the inflation
-
moparisthebest
Some things you can't really scan for though, like if they are vulnerable to a memory dos
-
Ge0rG
What about some EXI or SOAP instead?
-
Ge0rG
moparisthebest: it depends on how long you scan 😁
-
Zash
Aren't there things that compare distro package management inventory against CVE databases?
-
moparisthebest
Sure you can attack but not really scan
-
Ge0rG
Zash: yeah, need to run those on the server though