-
emus
singpolyma: next newsletter!
-
Guus
We've previously discussed that with Dialback authentication, having an encrypted connection is preferable over having a non-encrypted connection. This can make it allowable to continue with TLS-for-encryption in circumstances where a connection would typically be closed as a result of a failed TLS negotiation. I'm still struggling to identify what's reasonable here. Is it reasonable to continue using Dialback for authentication when, for example, - the receiving entity has an expired certificate? - the initiating entity has an expired certificate? - the initiating entity has a certificate that identifies the wrong domain? Isn't this effectively a downgrade attack vector?
-
Kev
I think the answer is that it's acceptable 'by configuration'.
-
jonas’
Guus, what that effectively does is that it raises the bar for a successful attack on the stream from passive to active
-
Zash
"Local Policy"
-
jonas’
(compared to "allow unencrypted connections")
-
Guus
Kev/Zash: I was very much dreading that (very valid) argument. :)
-
jonas’
so yeah, if you need that, make it configurable, but don't enable it by default.
-
Zash
Prosody has its certificate auth as a separate thing that doesn't really have protocol, it's just an event or point where it checks the cert and if agreees with configuration it proceeds with Something, which could be SASL EXTERNAL or Dialback
-
Guus
where you write 'certificate auth' you mean 'certificate verification' (and explicitly not 'authentication')?
-
Zash
There's a "check the cert" event. It checks the cert. Depending on policy, connection direction and protocol, that result is used ... somehow.
-
Zash
E.g. if valid certs are required, but only Dialback is available, it'll go ahead with Dialback IFF the cert validates.
-
Zash
As was the case with jabber.org until recently, for mysterious reasons.
-
Guus
I've just mapped out the possible combinations of two Openfire servers with its basic S2S configuration ("require/desire/disable TLS", "ignore cert date expiry", enable/disable Dialback, etc), and I'm coming up with close to 200,000 combinations options - and that's without introducing the 'local policies' that would allow for dialback to be used if TLS fails, as discussing now/here. :S
-
Zash
Disable TLS? In this day and age? GLHF
-
jonas’
then don't allow dialback when TLS fails :-)
-
Kev
> Disable TLS? In this day and age? GLHF There are other networks than the Internet.
-
intosi
There may be reasons why you want to disable TLS, e.g. over certain connections where crypto is a feature of your underlying connection.
-
Guus
Not the point. Even if I removed the option to disable TLS, the permutations are still considerable.
-
Zash
tls {disabled, allowed, required} × valid certificates {required, not required} => 6 ?
-
Zash
6 × {SASL EXTERNAL, not} × {Dialback, not} ≃ 24?
-
MattJ
Deprecate dialback. Require connections are secure by default, and add extension points to override the definition of "secure".
-
MattJ
For those deployments where you may have other forms of non-TLS security, for example
-
Zash
Put XEP-0288 on the compliance suite to deal with the poor unidirectional failure mode of SASL EXTERNAL
-
Zash
Dialback the protocol vs Dialback the ~auth~ verification method?
-
MattJ
s/deal/half patch over/✎ -
MattJ
s/deal with/half patch over/ ✏
-
Zash
Dialback the protocol is ugly but you can skip the actual dialing back and just short-circuit if certificates check out
-
Zash
except for the secuirty bug when I did that 🙁
-
Zash
And with that dialback-without-dialback shortcut, you're back to potential unidirectional half-broken connectiivty✎ -
Zash
And with that dialback-without-dialback shortcut, you're back to potential unidirectional half-broken connectivty ✏
-
singpolyma
The problem with deprecating dialback is we don't really have a replacement yet, do we?
-
singpolyma
DANE but no server really supports that yet
-
Peter Waher
mTLS?
-
MattJ
singpolyma, whether we have a replacement depends on how you define the requirements. Snikket is doing fine with no dialback.
-
singpolyma
MattJ: by just requiring CA valid EXTERNAL?
-
MattJ
Yes
-
singpolyma
Right. But one doesn't use dialback in that case normally (does any server even allow you to?) so I wouldn't call it a replacement
-
MattJ
In what case does one use dialback, then? When the attacker is unable to obtain a valid certificate? :)
-
singpolyma
When the other server isn't using a cert from a CA that you're aware of and/or when you don't want to put the security of your server in the hands of random CAs
-
jonas’
wouldn't you rather use DANE there?
-
singpolyma
jonas’: yes, Dane would be a great replacement
-
jonas’
so let's just do that?
-
MattJ
> 13:22:48 singpolyma> DANE but no server really supports that yet
-
MattJ
My main dislike of dialback isn't even the security (which is very similar to the challenge-based stuff Let's Encrypt is built on), it's the complexity of it
-
moparisthebest
DANE on the internet and same-cert over Tor, what else is needed?
-
Guus
Zash's math made me look twice at mine. Based on his feedback, I've reduces the amount of server configuration permutations to 18 (which is in line with what Zash had). Still if the other end has as many, that racks up to 324 different combinations. Some permutations do not make a lot of sense (disallowing TLS but having a certificate, for example), but still, things add up quickly, especially if I start adding more configuration options (eg: 'allow expired certs').
-
Guus
I'm also starting to lean towards the "if you want TLS for encryption but are happy to have Dialback auth, then you should use an anonymous cypher". That way, the implementation isn't explicitly told to ignore a failing TLS mechanism.
-
MattJ
📢 Update from iteam: we have been donated a replacement server by USSHC, and Kev has restored the latest daily backups we had from the old server onto the new one. There are still a few tasks to complete to get the server fully operational again, but we're getting there!
-
Guus
That's very generous of USSHC. I'm guessing that the old server now has actual value due to its rarity? :)
-
MattJ
As a coffee table, perhaps
-
Zash
> When the other server isn't using a cert from a CA that you're aware of and/or when you don't want to put the security of your server in the hands of random CAs There's only one now tho ;)
-
arc
Morgen
-
emus
Moin!
-
stpeter
Hi Arc!
-
ralphm
Board Meeting: https://meet.jit.si/XSF-Board-2023-04-05
-
arc
Hi
-
stpeter
@arc we’re chatting via Jitsi
-
stpeter
Thanks, all. Minutes to follow later today.
-
MattJ
Thanks :)
-
emus
Thanks all
-
Seve
When is the next board meeting happening?
-
arc
I thought it was May 4th at 1600 UTC
-
arc
May the 4th be with you
-
arc
I could also do the third if we are just doing text but my camera is used for the work meetings for a hour Wednesday mornings starting 15:30
-
ralphm
stpeter, MattJ I've added you as calendar admins, and did some cleanup on that list of people.
-
moparisthebest
arc: iirc you are nearish Portland OR, did you see the announcement of the XMPP track at FOSSY in July ?
-
arc
Yes and I plan to attend
-
arc
Especially now that I can walk again
-
moparisthebest
Very nice, on both counts
-
arc
I was originally told that might be my Christmas miracle this year
-
arc
However, as a rugby player I do not take head injuries lightly.. as soon as they gave me the wheelchair I pulled out the sawhorses and started doing squats so that when I was able to walk mentally I would also be physically able
-
arc
See the problem with these estimates is the often require months of physical therapy to restore strength lost to atrophy from being in the wheelchair to begin with
-
arc
Needless to say this is not my first rodeo.. a year became 7 weeks plus another month with a walker, my neurologist said she has never seen anyone recover so quickly
-
arc
I am back at Aikido class doing acrobatic backrolls, my voice needs more work and I am still not walking very fast but still tremendous progress and I should be able to walk to the convention center
-
Guus
Good to hear that arc !
-
arc
Portland has a very beautiful pedestrian bridge that crosses the Willamette River that is near the convention center called Tillikum Crossing, everyone should make a effort to walk the bridge when they visit Portland
-
arc
OMSI, kind of a science museum for kids, is on the east side of the bridge so it is popular for families
-
Arne
Arg, just came back and unfortunately missed the board meeting.
-
Arne
I'll be there next time.
-
arc
I almost missed it too because of a scheduling conflict
-
arc
Jitsi didn't want to open while Amazon Chime was in a different meeting
-
Arne
Ah, then see you next time too!
-
arc
Meetings are normally 30 minutes or less but it ran for an hour this month so I was able to catch the second half
-
stpeter
Thanks, Ralph!
-
emus
Do you hear this?
-
wurstsalat
What?
-
emus
https://jabbers.one:5281/file_share/FGMssi6Va1sODI6DB9qCkP2B/Boat%20Horn%20Sound%20Effect.opus
-
emus
https://jabbers.one:5281/file_share/q9nfbj9MbFCV-dI44TwAdDS8/elbe-sprint.png
-
emus
Please wait for further announcement, before you book anything. But consider to put it into your calendar 🙂
-
neox
Oh
-
neox
Great
-
wurstsalat
Whoop whoop!
-
root
> Portland has a very beautiful pedestrian bridge that crosses the Willamette River that is near the convention center called Tillikum Crossing, everyone should make a effort to walk the bridge when they visit Portland arc: when I go down to Portland for FOSSY I plan to bring my DSLR! So sight seeing is on my schedule :) ↺
-
arc
You should certainly get a couple shots of that bridge. Of course we have many bridges but I think that is the most beautiful
-
root
arc: 👍
-
arc
Of course there are many waterfront trails with a ton of beautiful sights
-
arc
I live a block from the river and when I leave the back door open random ducks and geese come in looking for food
-
arc
Of course you want to do the classic plant scavenger hunt.. Oregon grape for example. The leaves look like Holly, but the berries are yellow and will turn blue or purple later in the year
-
arc
Oregon grape is our state flower and it grows everywhere
-
arc
You can also very easily clone it
-
arc
People make jellies out of them and by adding a lot of sugar or pectin you can make them halfway decent, but I find them to chase somewhere on the spectrum between sour and bitter by themselves but they are edible
-
stpeter
I’ve added minutes at https://wiki.xmpp.org/web/Board-Meeting-2023-04-05