XSF Discussion - 2023-04-05

  1. emus

    singpolyma: next newsletter!

  2. Guus

    We've previously discussed that with Dialback authentication, having an encrypted connection is preferable over having a non-encrypted connection. This can make it allowable to continue with TLS-for-encryption in circumstances where a connection would typically be closed as a result of a failed TLS negotiation. I'm still struggling to identify what's reasonable here. Is it reasonable to continue using Dialback for authentication when, for example, - the receiving entity has an expired certificate? - the initiating entity has an expired certificate? - the initiating entity has a certificate that identifies the wrong domain? Isn't this effectively a downgrade attack vector?

  3. Kev

    I think the answer is that it's acceptable 'by configuration'.

  4. jonas’

    Guus, what that effectively does is that it raises the bar for a successful attack on the stream from passive to active

  5. Zash

    "Local Policy"

  6. jonas’

    (compared to "allow unencrypted connections")

  7. Guus

    Kev/Zash: I was very much dreading that (very valid) argument. :)

  8. jonas’

    so yeah, if you need that, make it configurable, but don't enable it by default.

  9. Zash

    Prosody has its certificate auth as a separate thing that doesn't really have protocol, it's just an event or point where it checks the cert and if agreees with configuration it proceeds with Something, which could be SASL EXTERNAL or Dialback

  10. Guus

    where you write 'certificate auth' you mean 'certificate verification' (and explicitly not 'authentication')?

  11. Zash

    There's a "check the cert" event. It checks the cert. Depending on policy, connection direction and protocol, that result is used ... somehow.

  12. Zash

    E.g. if valid certs are required, but only Dialback is available, it'll go ahead with Dialback IFF the cert validates.

  13. Zash

    As was the case with jabber.org until recently, for mysterious reasons.

  14. Guus

    I've just mapped out the possible combinations of two Openfire servers with its basic S2S configuration ("require/desire/disable TLS", "ignore cert date expiry", enable/disable Dialback, etc), and I'm coming up with close to 200,000 combinations options - and that's without introducing the 'local policies' that would allow for dialback to be used if TLS fails, as discussing now/here. :S

  15. Zash

    Disable TLS? In this day and age? GLHF

  16. jonas’

    then don't allow dialback when TLS fails :-)

  17. Kev

    > Disable TLS? In this day and age? GLHF There are other networks than the Internet.

  18. intosi

    There may be reasons why you want to disable TLS, e.g. over certain connections where crypto is a feature of your underlying connection.

  19. Guus

    Not the point. Even if I removed the option to disable TLS, the permutations are still considerable.

  20. Zash

    tls {disabled, allowed, required} × valid certificates {required, not required} => 6 ?

  21. Zash

    6 × {SASL EXTERNAL, not} × {Dialback, not} ≃ 24?

  22. MattJ

    Deprecate dialback. Require connections are secure by default, and add extension points to override the definition of "secure".

  23. MattJ

    For those deployments where you may have other forms of non-TLS security, for example

  24. Zash

    Put XEP-0288 on the compliance suite to deal with the poor unidirectional failure mode of SASL EXTERNAL

  25. Zash

    Dialback the protocol vs Dialback the ~auth~ verification method?

  26. MattJ

    s/deal/half patch over/

  27. MattJ

    s/deal with/half patch over/

  28. Zash

    Dialback the protocol is ugly but you can skip the actual dialing back and just short-circuit if certificates check out

  29. Zash

    except for the secuirty bug when I did that 🙁

  30. Zash

    And with that dialback-without-dialback shortcut, you're back to potential unidirectional half-broken connectiivty

  31. Zash

    And with that dialback-without-dialback shortcut, you're back to potential unidirectional half-broken connectivty

  32. singpolyma

    The problem with deprecating dialback is we don't really have a replacement yet, do we?

  33. singpolyma

    DANE but no server really supports that yet

  34. Peter Waher


  35. MattJ

    singpolyma, whether we have a replacement depends on how you define the requirements. Snikket is doing fine with no dialback.

  36. singpolyma

    MattJ: by just requiring CA valid EXTERNAL?

  37. MattJ


  38. singpolyma

    Right. But one doesn't use dialback in that case normally (does any server even allow you to?) so I wouldn't call it a replacement

  39. MattJ

    In what case does one use dialback, then? When the attacker is unable to obtain a valid certificate? :)

  40. singpolyma

    When the other server isn't using a cert from a CA that you're aware of and/or when you don't want to put the security of your server in the hands of random CAs

  41. jonas’

    wouldn't you rather use DANE there?

  42. singpolyma

    jonas’: yes, Dane would be a great replacement

  43. jonas’

    so let's just do that?

  44. MattJ

    > 13:22:48 singpolyma> DANE but no server really supports that yet

  45. MattJ

    My main dislike of dialback isn't even the security (which is very similar to the challenge-based stuff Let's Encrypt is built on), it's the complexity of it

  46. moparisthebest

    DANE on the internet and same-cert over Tor, what else is needed?

  47. Guus

    Zash's math made me look twice at mine. Based on his feedback, I've reduces the amount of server configuration permutations to 18 (which is in line with what Zash had). Still if the other end has as many, that racks up to 324 different combinations. Some permutations do not make a lot of sense (disallowing TLS but having a certificate, for example), but still, things add up quickly, especially if I start adding more configuration options (eg: 'allow expired certs').

  48. Guus

    I'm also starting to lean towards the "if you want TLS for encryption but are happy to have Dialback auth, then you should use an anonymous cypher". That way, the implementation isn't explicitly told to ignore a failing TLS mechanism.

  49. MattJ

    📢 Update from iteam: we have been donated a replacement server by USSHC, and Kev has restored the latest daily backups we had from the old server onto the new one. There are still a few tasks to complete to get the server fully operational again, but we're getting there!

  50. Guus

    That's very generous of USSHC. I'm guessing that the old server now has actual value due to its rarity? :)

  51. MattJ

    As a coffee table, perhaps

  52. Zash

    > When the other server isn't using a cert from a CA that you're aware of and/or when you don't want to put the security of your server in the hands of random CAs There's only one now tho ;)

  53. arc


  54. emus


  55. stpeter

    Hi Arc!

  56. ralphm

    Board Meeting: https://meet.jit.si/XSF-Board-2023-04-05

  57. arc


  58. stpeter

    @arc we’re chatting via Jitsi

  59. stpeter

    Thanks, all. Minutes to follow later today.

  60. MattJ

    Thanks :)

  61. emus

    Thanks all

  62. Seve

    When is the next board meeting happening?

  63. arc

    I thought it was May 4th at 1600 UTC

  64. arc

    May the 4th be with you

  65. arc

    I could also do the third if we are just doing text but my camera is used for the work meetings for a hour Wednesday mornings starting 15:30

  66. ralphm

    stpeter, MattJ I've added you as calendar admins, and did some cleanup on that list of people.

  67. moparisthebest

    arc: iirc you are nearish Portland OR, did you see the announcement of the XMPP track at FOSSY in July ?

  68. arc

    Yes and I plan to attend

  69. arc

    Especially now that I can walk again

  70. moparisthebest

    Very nice, on both counts

  71. arc

    I was originally told that might be my Christmas miracle this year

  72. arc

    However, as a rugby player I do not take head injuries lightly.. as soon as they gave me the wheelchair I pulled out the sawhorses and started doing squats so that when I was able to walk mentally I would also be physically able

  73. arc

    See the problem with these estimates is the often require months of physical therapy to restore strength lost to atrophy from being in the wheelchair to begin with

  74. arc

    Needless to say this is not my first rodeo.. a year became 7 weeks plus another month with a walker, my neurologist said she has never seen anyone recover so quickly

  75. arc

    I am back at Aikido class doing acrobatic backrolls, my voice needs more work and I am still not walking very fast but still tremendous progress and I should be able to walk to the convention center

  76. Guus

    Good to hear that arc !

  77. arc

    Portland has a very beautiful pedestrian bridge that crosses the Willamette River that is near the convention center called Tillikum Crossing, everyone should make a effort to walk the bridge when they visit Portland

  78. arc

    OMSI, kind of a science museum for kids, is on the east side of the bridge so it is popular for families

  79. Arne

    Arg, just came back and unfortunately missed the board meeting.

  80. Arne

    I'll be there next time.

  81. arc

    I almost missed it too because of a scheduling conflict

  82. arc

    Jitsi didn't want to open while Amazon Chime was in a different meeting

  83. Arne

    Ah, then see you next time too!

  84. arc

    Meetings are normally 30 minutes or less but it ran for an hour this month so I was able to catch the second half

  85. stpeter

    Thanks, Ralph!

  86. emus

    Do you hear this?

  87. wurstsalat


  88. emus


  89. emus


  90. emus

    Please wait for further announcement, before you book anything. But consider to put it into your calendar 🙂

  91. neox


  92. neox


  93. wurstsalat

    Whoop whoop!

  94. root

    > Portland has a very beautiful pedestrian bridge that crosses the Willamette River that is near the convention center called Tillikum Crossing, everyone should make a effort to walk the bridge when they visit Portland arc: when I go down to Portland for FOSSY I plan to bring my DSLR! So sight seeing is on my schedule :)

  95. arc

    You should certainly get a couple shots of that bridge. Of course we have many bridges but I think that is the most beautiful

  96. root

    arc: 👍

  97. arc

    Of course there are many waterfront trails with a ton of beautiful sights

  98. arc

    I live a block from the river and when I leave the back door open random ducks and geese come in looking for food

  99. arc

    Of course you want to do the classic plant scavenger hunt.. Oregon grape for example. The leaves look like Holly, but the berries are yellow and will turn blue or purple later in the year

  100. arc

    Oregon grape is our state flower and it grows everywhere

  101. arc

    You can also very easily clone it

  102. arc

    People make jellies out of them and by adding a lot of sugar or pectin you can make them halfway decent, but I find them to chase somewhere on the spectrum between sour and bitter by themselves but they are edible

  103. stpeter

    I’ve added minutes at https://wiki.xmpp.org/web/Board-Meeting-2023-04-05