XSF Discussion - 2024-03-30


  1. kurisu

    Do C or Dino support "jingle file requests"? I.e. senders='responder'

  2. kurisu

    or does any client worth mentioning

  3. kurisu

    or any client in the history of anything ever

  4. Menel

    If what you ask is https://xmpp.org/extensions/xep-0234.html#requesting then yes.

  5. kurisu

    Yes for C and Dino?

  6. Menel

    Yes, you can use this tool to search for xeps in software https://xmpp.org/software/?platform=all-platforms It's not complete for all that exist, but very nice

  7. kurisu

    Not parts of xeps...

  8. Menel

    ?

  9. cal0pteryx

    The extensions table at https://xmpp.org/extensions/ now offers a filter for dormant XEPs in Experimental/Deferred. States are indicated by icons (with tooltips) as well. Feedback welcome!

  10. MattJ

    cal0pteryx: looks excellent! Thanks!

  11. MattJ

    Now this surfaces deferred XEPs that actually matter

  12. Daniel

    flow could probably ask Council to issue a Last Call for 0440 (channel binding)

  13. MattJ

    cal0pteryx, if there is a turtle icon, it might be more clear than the clock :)

  14. singpolyma

    kurisu: i think no, but I am planning to implement it

  15. theTedd

    cal0pteryx, a suggestion: have the type filters as one dropdown, and "Views" as another; views can then be "All", "Consider Advancing", "Implementations Needed", etc, and further interesting views can be added as wanted

  16. Daniel

    kurisu: it depends a lot on what you are trying to achieve. Requesting a file can be useful for resuming a file transfer

  17. theTedd

    (and maybe a threshold of >=2 before advancement)

  18. kurisu

    Daniel: does C do that?

  19. Daniel

    I might implement it but considering how rarely jingle ft is used it doesn't have priority

  20. Daniel

    kurisu: no

  21. kurisu

    So I thought

  22. edhelas

    Is there a place where we can see what's the state of SASL, and especially SCRAM mechanisms support in the clients and servers ?

  23. Daniel

    No. I would absolutely love to have metrics for that. But my users would hate that sort of thing

  24. edhelas

    Too bad. Movim is supporting SCRAM-SHA-1 and PLAIN, I might drop plain support and I can add a few others but I was wondering about the servers support.

  25. Daniel

    I mean implementing other shas is really either. Just go for it. Doesn't hurt

  26. Daniel

    I mean implementing other shas is really easy . Just go for it. Doesn't hurt

  27. edhelas

    Yeah sure.

  28. singpolyma

    Someday OPAQUE

  29. kurisu

    Aside from Dino and C, does anyone support webrtc file transfer? Web clients perhaps?

  30. singpolyma

    Not yet.

  31. singpolyma

    It's very new

  32. singpolyma

    And I think no one supports the tcp xep yet

  33. moparisthebest

    > Too bad. Movim is supporting SCRAM-SHA-1 and PLAIN, I might drop plain support and I can add a few others but I was wondering about the servers support. edhelas: don't drop plain, that's the best one ! seriously though it's useful for deployments where the password is stored with a good hash (like scrypt) and used across services

  34. Zash

    The old Observatory had SASL stats

  35. edhelas

    Doesn't matter, my password is CorrectHorseBatteryStaple in the end

  36. mdosch

    According to a German newspaper Mb2.r5oHf-0t is the most secure password, so everybody should use it.

  37. mdosch

    https://www.der-postillon.com/2014/04/sicherstes-passwort.html?m=1

  38. mdosch

    https://www.der-postillon.com/2014/04/sicherstes-passwort.html

  39. Zash

    That's the combination to my luggage!

  40. mdosch will steal your Surströmming.

  41. mdosch

    > Is there a place where we can see what's the state of SASL, and especially SCRAM mechanisms support in the clients and servers ? Maybe o.j.n could ask for opt-in to collect those informations? I would opt-in.

  42. mdosch

    That's still only a part of the network but we could at least gather some numbers.

  43. mdosch

    That's still only a part of the network but we could at least gather some numbers for servers.

  44. mdosch

    jonas’: ?

  45. jonas’

    mdosch, no, the code isn't smart enough to query features like that.

  46. mdosch

    Too bad. 🙃

  47. jonas’

    well, SCRAM mechanisms are collected, actually, but no SASL2

  48. moparisthebest

    Why would it matter? For MUCs it's not used, for signing up for a public server you don't care because you 100% need to use a random password unique to that server

  49. Daniel

    Having login mechanism stats would be nice though. I'm strongly considering making channel binding quasi mandatory in a not too distant future

  50. Zash

    Perhaps it could be addded to CAAS?

  51. moparisthebest

    Does channel binding work with PLAIN ?

  52. Zash

    No

  53. Daniel

    moparisthebest: no. You need scram

  54. moparisthebest

    That would break my XMPP setup then which would be sad

  55. moparisthebest

    Am I missing something or does channel binding offer nothing over just pinning keys?

  56. Daniel

    Mitm detection

  57. moparisthebest

    Both catch mitm where the mitm gets a new valid cert, neither catch mitm where the mitm can read the server's disk

  58. Daniel

    LE really doesn't want you to pin keys though

  59. moparisthebest

    You can't pin certs, you can pin keys no problem

  60. Daniel

    But yes I'm aware that PLAIN won't go away for certain deployments. But I'm ready to have them dig into some expert setting and disable the 'mitm protection checkbox'

  61. moparisthebest

    How about also implement pinning keys and then require one or the other since they offer the same protection?

  62. moparisthebest

    We got DANE for DNSSEC enabled domains and host-meta-2 for everyone

  63. Zash

    You can have channel binding with PLAIN if you switch to FAST afterwards, right?

  64. Daniel

    > You can have channel binding with PLAIN if you switch to FAST afterwards, right? Yes. But then you can be downgraded to plain again I guess

  65. Daniel

    The nice thing about channel binding is not that it's perfect but that it is really low hanging fruit for the vast majority of users that use scram anyway

  66. lovetox

    you mean developers? i dont think any user cares about such details

  67. Zash

    they probably care after they get MITM'd

  68. moparisthebest

    Sure, and the nice thing about pinning keys is it's out of band, you can cache it, and gives you extra assurance over just channel binding So why not both? :)

  69. moparisthebest

    lovetox: yea users definitely prefer not to be MITM'd

  70. Zash

    moparisthebest, sure, go tell certbot to stop rotating private keys

  71. Daniel

    I'm not against key pinning. Channel binding works on the first connect

  72. Daniel

    And what Zash said

  73. lovetox

    moparisthebest, yes i completely agree, but how do you follow from that, they actively *want* some very specific feature in a TLS connection, and how is it low hanging fruit for *them*

  74. Daniel

    The likelihood of detecting something like the Jabber.ru attack gets drastically improved for virtually no cost

  75. moparisthebest

    Zash: I assume certbot has a flag to not rotate keys? Regardless there are many good acme clients that don't

  76. Zash

    moparisthebest, you assume users (well, admins here) change defaults?

  77. moparisthebest

    Isn't that the entire premise behind prosody? No one turns on a prosody and leaves defaults

  78. Zash

    No true scottish config file?

  79. mdosch

    > moparisthebest, sure, go tell certbot to stop rotating private keys That's what I do already.

  80. Zash

    Adding a bunch of modules and your hostname isn't too far from telling certbot your hostname and accepting the defaults.

  81. Menel

    Since plain will not go away completely, it seems like anyone can still do what they want. So I don't understand the argument.

  82. mdosch

    I disabled plain on my server and all clients continued to work, so YMMV.

  83. Zash

    moparisthebest, wait why aren't you excited about moving to OAuth 2.0 and OAUTHBEARER? then a web browser becomes required for authenticating and your real client never sees your password, that you type into a web <form>

  84. moparisthebest

    Gross

  85. moparisthebest

    > I disabled plain on my server and all clients continued to work, so YMMV. mdosch: clients aren't the problem it's that my XMPP server's usernames & passwords are shared with other systems, email, nextcloud, nginx etc

  86. tmolitor

    > Both catch mitm where the mitm gets a new valid cert, neither catch mitm where the mitm can read the server's disk Wromg. Tls-exporter channel binding can catch the attacker even if they use the same cert and key as the legitimate server (and key pinning can not)

  87. moparisthebest

    tmolitor: if you can read the disk of the server you are MITM'ing, you can get the TLS cert, key, and database of usernames and password hashes, and then do the entire tls-exporter between you and the client and then between you and the real server, right?

  88. moparisthebest

    So I think channel binding can protect against nothing more than pinning keys can

  89. Menel

    Why not both ™

  90. moparisthebest

    That's what I said :)

  91. Zash

    Operationally more effort to pin keys, rotating and recovery etc gets more complicated.

  92. tmolitor

    > tmolitor: if you can read the disk of the server you are MITM'ing, you can get the TLS cert, key, and database of usernames and password hashes, and then do the entire tls-exporter between you and the client and then between you and the real server, right? moparisthebest: No, TLS exporter uses the handshake between client and server and that is different even if the adversary uses the same key and cert....

  93. singpolyma

    > moparisthebest, wait why aren't you excited about moving to OAuth 2.0 and OAUTHBEARER? then a web browser becomes required for authenticating and your real client never sees your password, that you type into a web <form> You can do oauth without a web browser 🙂 but we've reinvented oauth now and call it fast instead

  94. tmolitor

    Tls-exporter will detect a mitm as soon as there is more than one TLS connection on the path to the server (the definition of mitm)...the tls-server-end-point will not catch the mitm in the same-key scenario though, only tls-exporter will (but tls-server-end-point would have catched the jabber.ru attacker as key pinning would have)

  95. Zash

    singpolyma, but oauth is not about auth(entication) but auth(orization), FAST just gets you token authentication, no?

  96. Zash

    tmolitor, I think moparisthebest has constructed a scenario where it's arguably not MITM anmyore, but you authenticate to the attacker.

  97. singpolyma

    Zash: oauthbearer is authentication with a token, surely

  98. Zash

    singpolyma, true. how you get that token is more involved tho

  99. singpolyma

    Yeah. I mean you can get it however you like but there are some common and sometimes complex ways, i agree

  100. Zash

    and the ways that do not involve a web browser are all deprecated and considered insecure

  101. moparisthebest

    >> tmolitor: if you can read the disk of the server you are MITM'ing, you can get the TLS cert, key, and database of usernames and password hashes, and then do the entire tls-exporter between you and the client and then between you and the real server, right? > moparisthebest: No, TLS exporter uses the handshake between client and server and that is different even if the adversary uses the same key and cert.... tmolitor: right, and if the attacker read your disk to get your cert and key and usernames and password hashes, you'll succeed in doing TLS exporter with the attacker's server, who can then succeed in doing it with the real server

  102. Zash

    Is that really MITM anymore?

  103. moparisthebest

    Yes?

  104. tmolitor

    > tmolitor, I think moparisthebest has constructed a scenario where it's arguably not MITM anmyore, but you authenticate to the attacker. Even then scram with channel-binding (in fact even without channel-binding is superior to key-pinning because scram contains a server proof that it knows the password (which the attacker won't know)...all of this is of course only true if the client does not fall back to PLIN, though)

  105. tmolitor

    moparisthebest: yes, knowing the password hashes enables the attacker to fake the server-proof of the password and the mitm will succeed...

  106. moparisthebest

    tmolitor: in your scenario where the attacker reads the server disk to get the key, they do know the password, they know everything your server knows

  107. tmolitor

    Yes

  108. singpolyma

    Certainly a full box pwn is not defenible

  109. moparisthebest

    So... Channel binding provides *no more* protection than key pinning...

  110. singpolyma

    Certainly a full box pwn is not defensible

  111. Zash

    Congratulations on your irrefutible proof that security is impossible.

  112. tmolitor

    But that's not the typical mitm but a direct attack on the server followed by a mitm like impersonation...

  113. singpolyma

    > Congratulations on your irrefutible proof that security is impossible. Classic blue team

  114. singpolyma

    tmolitor: I think the point is that without such a full pwn key pinning also is sufficient to defend

  115. Zash

    Better dust off my very smol screwdrivers and get back to repairing mechanical clocks.

  116. moparisthebest

    Roughly you should always do key pinning if you can and always do channel binding if you can

  117. singpolyma

    Though I agree both is good

  118. tmolitor

    > So... Channel binding provides *no more* protection than key pinning... No, that's wrong...your claim is only true in the case that the attacker has access to the server's disk...then both of them offer the same security: exactly none

  119. moparisthebest

    tmolitor: correct, how else would they get your private key though

  120. Zash

    Becasue we no longer care about all the more likely scenarios where the attacker isn't also your infa provider?

  121. Daniel

    Maybe we need a flag for the server to instruct the client to pin the key

  122. Daniel

    I mean that worked well for HTTP

    🤣️ 1
  123. tmolitor

    > tmolitor: I think the point is that without such a full pwn key pinning also is sufficient to defend No it is not, key pinning does not detect if the mitm knows the servers TLS key but not the password hash...

  124. singpolyma

    > Maybe we need a flag for the server to instruct the client to pin the key Sure, it's called TLSA record

  125. tmolitor

    > Maybe we need a flag for the server to instruct the client to pin the key > > I mean that worked well for HTTP It worked that well that they removed that feature from browsers :(

  126. moparisthebest

    >> Maybe we need a flag for the server to instruct the client to pin the key > Sure, it's called TLSA record And host-meta-2

  127. singpolyma

    tmolitor: I think it's back again with http 3 maybe. But yes

  128. Zash

    > Sure, it's called TLSA record Surely in moparisthebest scenario, the attacker also owns the DNSSEC root keys and can issue any TLSA record they want!

  129. singpolyma

    >> Sure, it's called TLSA record > And host-meta-2 Please no

  130. tmolitor

    Yes, I'd love to see tlsa support in clients...

  131. moparisthebest

    >> tmolitor: I think the point is that without such a full pwn key pinning also is sufficient to defend > No it is not, key pinning does not detect if the mitm knows the servers TLS key but not the password hash... I agree, now how could this possibly happen? I don't think it can

  132. singpolyma

    tmolitor: I have it

  133. singpolyma

    >> Sure, it's called TLSA record > Surely in moparisthebest scenario, the attacker also owns the DNSSEC root keys and can issue any TLSA record they want! If your DNS server is also your xmpp server I guess so

  134. tmolitor

    Great, my server has it too, even with rolling keys...

  135. Daniel

    > Yes, I'd love to see tlsa support in clients... Dito

  136. singpolyma

    Daniel: I can send you a PR 😉

  137. moparisthebest

    Now when are all the .im servers going to change domains? That's easy in XMPP right? 💀

  138. tmolitor

    moparisthebest: it can...the same cert and key are frequently used on different servers or services...attacking one of these servers/services will give you the key, but not the password hashes

  139. singpolyma

    moparisthebest: I have most of a workaround for that

  140. Zash

    singpolyma, bringing back lookaside-validation? :)

  141. tmolitor

    Even heartbleed would have given you the key but not the password...

  142. singpolyma

    Zash: either better or woreise depending hiw you feel but similar

  143. moparisthebest

    tmolitor: people copy keys between servers? 😱

  144. Daniel

    > Daniel: I can send you a PR 😉 I need to fix my DNSSEC implementation first

  145. moparisthebest

    singpolyma: how do you work around it and is it better than host-meta-2 🤣

  146. singpolyma

    Daniel: i upgraded to latest of your DNS dependency and it's working well so far

  147. singpolyma

    moparisthebest: the .im service has to srv to a different tld and then I have a list of well known srvs to check against for that step, normal DNSSEC after

  148. singpolyma

    Works for yax.im

  149. moparisthebest

    singpolyma: wait that sounds like you are enabling trivial MITM for it?

  150. singpolyma

    How?

  151. moparisthebest

    What if evil DNS server responds with "use DNSSEC from evil.com to get the TLSA for yax.im" ?

  152. singpolyma

    Then it won't match my well known srv list so won't verify

  153. moparisthebest

    Can you link to the code or a doc or something?

  154. singpolyma

    It's in both certwatch and cheogram-android. Its obviously not ideal because it only works for known services, but I still think that's better than nothing

  155. tmolitor

    singpolyma: but then server admins won't be able to change their srv entries to point to another domain...

  156. singpolyma

    tmolitor: right. They can change IPs and TLSA and stuff, but if srv changes it'll stop verifying.

  157. tmolitor

    > tmolitor: people copy keys between servers? 😱 Yes, some people do that. Or use the same cert for different services on the same host...

  158. tmolitor

    So its essentially srv pinning

  159. moparisthebest

    Same cert for multiple services on the same box is fine though, that's what I do :P

  160. moparisthebest

    singpolyma: is it one list or a list per host? Anyway still not a generic solution that works across clients/servers or for all services on .im like host-meta-2

  161. singpolyma

    Definitely not generic but a generic solution isn't possible

  162. singpolyma

    host-meta-2 can't be used for key pinning on .im either

  163. singpolyma

    How would you even fetch the host meta file safely?

  164. moparisthebest

    host-meta-2 explicitly can be used to pin for .im and everything, you grab it over https

  165. singpolyma

    And how do you pin the https key?

  166. moparisthebest

    With good domains, Dane/TLSA, with .im you don't, it's still a big improvement

  167. singpolyma

    So with .im it's identical to no key pinning. Like I said

  168. moparisthebest

    Not at all

  169. Zash

    You get some sort of 'TOFU by LE

  170. singpolyma

    You're banking in what, an attacker who can mitm xmpp but not https?

  171. Zash

    None of this beats the jabber.ru hack

  172. Zash

    None of this https stuff beats the jabber.ru hack

  173. singpolyma

    Proper dane does, no?

  174. moparisthebest

    MITM'ing your personal DNS right now: easy MITM'ing LE's DNS across multiple geographically and provider seperate systems months ago: very hard

  175. moparisthebest

    > None of this https stuff beats the jabber.ru hack Zash: it does with long enough pinning times, actually even with 1 day people would have noticed day 1 their login stopped working

  176. Zash

    MITMing HTTP-01 just in front of the machine: Easy, and then serving whatever pinned key you want over https is equally easy.

  177. singpolyma

    moparisthebest: if I can trust an LE cert then I dont need pinning at all. The whole pont is i cannot

  178. Zash

    HTTP-01 and then waiting a month doesn't make it harder

  179. singpolyma

    > MITMing HTTP-01 just in front of the machine: Easy, and then serving whatever pinned key you want over https is equally easy. This

  180. moparisthebest

    > MITMing HTTP-01 just in front of the machine: Easy, and then serving whatever pinned key you want over https is equally easy. Not possible when your caa record forbids http-01

  181. singpolyma

    Rure, if you want to trust LE that's fine but then pinning isn't needed

  182. moparisthebest

    > moparisthebest: if I can trust an LE cert then I dont need pinning at all. The whole pont is i cannot singpolyma: trusting one *now* (from anywhere you might connect) is much different than trusting one you got weeks/months ago

  183. moparisthebest

    It would have prevented the jabber.ru one for example

  184. singpolyma

    How could it possibly?

  185. moparisthebest

    There is no "perfect" here, it's all layers that make it slightly better

  186. singpolyma

    It would do nothing in the jabber.ru case

  187. moparisthebest

    singpolyma: people who had already connected would have had the key pinned and not trusted the new key

  188. singpolyma

    What?

  189. singpolyma

    They check the host meta and see a new key there

  190. singpolyma

    So use new key

  191. Zash

    Or check host meta and see both the old and the new, possibly varying depending on targeting.

  192. Zash

    If DNS MITM is so easy, just do it to the CAA record. It's probably hosted on the same infra as the VM anyway.

  193. moparisthebest

    singpolyma: you don't grab the host-meta after the mitm because you already have it cached (TTL) so you fail to connect

  194. singpolyma

    Until the ttl expires

  195. moparisthebest

    Sure, but that's enough to instantly detect the MITM