-
kurisu
Do C or Dino support "jingle file requests"? I.e. senders='responder'
-
kurisu
or does any client worth mentioning
-
kurisu
or any client in the history of anything ever
-
Menel
If what you ask is https://xmpp.org/extensions/xep-0234.html#requesting then yes.
-
kurisu
Yes for C and Dino?
-
Menel
Yes, you can use this tool to search for xeps in software https://xmpp.org/software/?platform=all-platforms It's not complete for all that exist, but very nice
-
kurisu
Not parts of xeps...
-
Menel
?
-
cal0pteryx
The extensions table at https://xmpp.org/extensions/ now offers a filter for dormant XEPs in Experimental/Deferred. States are indicated by icons (with tooltips) as well. Feedback welcome!
-
MattJ
cal0pteryx: looks excellent! Thanks!
-
MattJ
Now this surfaces deferred XEPs that actually matter
-
Daniel
flow could probably ask Council to issue a Last Call for 0440 (channel binding)
-
MattJ
cal0pteryx, if there is a turtle icon, it might be more clear than the clock :)
-
singpolyma
kurisu: i think no, but I am planning to implement it
-
theTedd
cal0pteryx, a suggestion: have the type filters as one dropdown, and "Views" as another; views can then be "All", "Consider Advancing", "Implementations Needed", etc, and further interesting views can be added as wanted
-
Daniel
kurisu: it depends a lot on what you are trying to achieve. Requesting a file can be useful for resuming a file transfer
-
theTedd
(and maybe a threshold of >=2 before advancement)
-
kurisu
Daniel: does C do that?
-
Daniel
I might implement it but considering how rarely jingle ft is used it doesn't have priority
-
Daniel
kurisu: no
-
kurisu
So I thought
-
edhelas
Is there a place where we can see what's the state of SASL, and especially SCRAM mechanisms support in the clients and servers ?
-
Daniel
No. I would absolutely love to have metrics for that. But my users would hate that sort of thing
-
edhelas
Too bad. Movim is supporting SCRAM-SHA-1 and PLAIN, I might drop plain support and I can add a few others but I was wondering about the servers support.
-
Daniel
I mean implementing other shas is really either. Just go for it. Doesn't hurt✎ -
Daniel
I mean implementing other shas is really easy . Just go for it. Doesn't hurt ✏
-
edhelas
Yeah sure.
-
singpolyma
Someday OPAQUE
-
kurisu
Aside from Dino and C, does anyone support webrtc file transfer? Web clients perhaps?
-
singpolyma
Not yet.
-
singpolyma
It's very new
-
singpolyma
And I think no one supports the tcp xep yet
-
moparisthebest
> Too bad. Movim is supporting SCRAM-SHA-1 and PLAIN, I might drop plain support and I can add a few others but I was wondering about the servers support. edhelas: don't drop plain, that's the best one ! seriously though it's useful for deployments where the password is stored with a good hash (like scrypt) and used across services ↺
-
Zash
The old Observatory had SASL stats
-
edhelas
Doesn't matter, my password is CorrectHorseBatteryStaple in the end
-
mdosch
According to a German newspaper Mb2.r5oHf-0t is the most secure password, so everybody should use it.
-
mdosch
https://www.der-postillon.com/2014/04/sicherstes-passwort.html?m=1✎ -
mdosch
https://www.der-postillon.com/2014/04/sicherstes-passwort.html ✏
-
Zash
That's the combination to my luggage!
- mdosch will steal your Surströmming.
-
mdosch
> Is there a place where we can see what's the state of SASL, and especially SCRAM mechanisms support in the clients and servers ? Maybe o.j.n could ask for opt-in to collect those informations? I would opt-in.
-
mdosch
That's still only a part of the network but we could at least gather some numbers.✎ -
mdosch
That's still only a part of the network but we could at least gather some numbers for servers. ✏
-
mdosch
jonas’: ?
-
jonas’
mdosch, no, the code isn't smart enough to query features like that.
-
mdosch
Too bad. 🙃
-
jonas’
well, SCRAM mechanisms are collected, actually, but no SASL2
-
moparisthebest
Why would it matter? For MUCs it's not used, for signing up for a public server you don't care because you 100% need to use a random password unique to that server
-
Daniel
Having login mechanism stats would be nice though. I'm strongly considering making channel binding quasi mandatory in a not too distant future
-
Zash
Perhaps it could be addded to CAAS?
-
moparisthebest
Does channel binding work with PLAIN ?
-
Zash
No
-
Daniel
moparisthebest: no. You need scram
-
moparisthebest
That would break my XMPP setup then which would be sad
-
moparisthebest
Am I missing something or does channel binding offer nothing over just pinning keys?
-
Daniel
Mitm detection
-
moparisthebest
Both catch mitm where the mitm gets a new valid cert, neither catch mitm where the mitm can read the server's disk
-
Daniel
LE really doesn't want you to pin keys though
-
moparisthebest
You can't pin certs, you can pin keys no problem
-
Daniel
But yes I'm aware that PLAIN won't go away for certain deployments. But I'm ready to have them dig into some expert setting and disable the 'mitm protection checkbox'
-
moparisthebest
How about also implement pinning keys and then require one or the other since they offer the same protection?
-
moparisthebest
We got DANE for DNSSEC enabled domains and host-meta-2 for everyone
-
Zash
You can have channel binding with PLAIN if you switch to FAST afterwards, right?
-
Daniel
> You can have channel binding with PLAIN if you switch to FAST afterwards, right? Yes. But then you can be downgraded to plain again I guess
-
Daniel
The nice thing about channel binding is not that it's perfect but that it is really low hanging fruit for the vast majority of users that use scram anyway
-
lovetox
you mean developers? i dont think any user cares about such details
-
Zash
they probably care after they get MITM'd
-
moparisthebest
Sure, and the nice thing about pinning keys is it's out of band, you can cache it, and gives you extra assurance over just channel binding So why not both? :)
-
moparisthebest
lovetox: yea users definitely prefer not to be MITM'd
-
Zash
moparisthebest, sure, go tell certbot to stop rotating private keys
-
Daniel
I'm not against key pinning. Channel binding works on the first connect
-
Daniel
And what Zash said
-
lovetox
moparisthebest, yes i completely agree, but how do you follow from that, they actively *want* some very specific feature in a TLS connection, and how is it low hanging fruit for *them*
-
Daniel
The likelihood of detecting something like the Jabber.ru attack gets drastically improved for virtually no cost
-
moparisthebest
Zash: I assume certbot has a flag to not rotate keys? Regardless there are many good acme clients that don't
-
Zash
moparisthebest, you assume users (well, admins here) change defaults?
-
moparisthebest
Isn't that the entire premise behind prosody? No one turns on a prosody and leaves defaults
-
Zash
No true scottish config file?
-
mdosch
> moparisthebest, sure, go tell certbot to stop rotating private keys That's what I do already.
-
Zash
Adding a bunch of modules and your hostname isn't too far from telling certbot your hostname and accepting the defaults.
-
Menel
Since plain will not go away completely, it seems like anyone can still do what they want. So I don't understand the argument.
-
mdosch
I disabled plain on my server and all clients continued to work, so YMMV.
-
Zash
moparisthebest, wait why aren't you excited about moving to OAuth 2.0 and OAUTHBEARER? then a web browser becomes required for authenticating and your real client never sees your password, that you type into a web <form>
-
moparisthebest
Gross
-
moparisthebest
> I disabled plain on my server and all clients continued to work, so YMMV. mdosch: clients aren't the problem it's that my XMPP server's usernames & passwords are shared with other systems, email, nextcloud, nginx etc ↺
-
tmolitor
> Both catch mitm where the mitm gets a new valid cert, neither catch mitm where the mitm can read the server's disk Wromg. Tls-exporter channel binding can catch the attacker even if they use the same cert and key as the legitimate server (and key pinning can not)
-
moparisthebest
tmolitor: if you can read the disk of the server you are MITM'ing, you can get the TLS cert, key, and database of usernames and password hashes, and then do the entire tls-exporter between you and the client and then between you and the real server, right?
-
moparisthebest
So I think channel binding can protect against nothing more than pinning keys can
-
Menel
Why not both ™
-
moparisthebest
That's what I said :)
-
Zash
Operationally more effort to pin keys, rotating and recovery etc gets more complicated.
-
tmolitor
> tmolitor: if you can read the disk of the server you are MITM'ing, you can get the TLS cert, key, and database of usernames and password hashes, and then do the entire tls-exporter between you and the client and then between you and the real server, right? moparisthebest: No, TLS exporter uses the handshake between client and server and that is different even if the adversary uses the same key and cert....
-
singpolyma
> moparisthebest, wait why aren't you excited about moving to OAuth 2.0 and OAUTHBEARER? then a web browser becomes required for authenticating and your real client never sees your password, that you type into a web <form> You can do oauth without a web browser 🙂 but we've reinvented oauth now and call it fast instead ↺
-
tmolitor
Tls-exporter will detect a mitm as soon as there is more than one TLS connection on the path to the server (the definition of mitm)...the tls-server-end-point will not catch the mitm in the same-key scenario though, only tls-exporter will (but tls-server-end-point would have catched the jabber.ru attacker as key pinning would have)
-
Zash
singpolyma, but oauth is not about auth(entication) but auth(orization), FAST just gets you token authentication, no?
-
Zash
tmolitor, I think moparisthebest has constructed a scenario where it's arguably not MITM anmyore, but you authenticate to the attacker.
-
singpolyma
Zash: oauthbearer is authentication with a token, surely
-
Zash
singpolyma, true. how you get that token is more involved tho
-
singpolyma
Yeah. I mean you can get it however you like but there are some common and sometimes complex ways, i agree
-
Zash
and the ways that do not involve a web browser are all deprecated and considered insecure
-
moparisthebest
>> tmolitor: if you can read the disk of the server you are MITM'ing, you can get the TLS cert, key, and database of usernames and password hashes, and then do the entire tls-exporter between you and the client and then between you and the real server, right? > moparisthebest: No, TLS exporter uses the handshake between client and server and that is different even if the adversary uses the same key and cert.... tmolitor: right, and if the attacker read your disk to get your cert and key and usernames and password hashes, you'll succeed in doing TLS exporter with the attacker's server, who can then succeed in doing it with the real server ↺
-
Zash
Is that really MITM anymore?
-
moparisthebest
Yes?
-
tmolitor
> tmolitor, I think moparisthebest has constructed a scenario where it's arguably not MITM anmyore, but you authenticate to the attacker. Even then scram with channel-binding (in fact even without channel-binding is superior to key-pinning because scram contains a server proof that it knows the password (which the attacker won't know)...all of this is of course only true if the client does not fall back to PLIN, though)
-
tmolitor
moparisthebest: yes, knowing the password hashes enables the attacker to fake the server-proof of the password and the mitm will succeed...
-
moparisthebest
tmolitor: in your scenario where the attacker reads the server disk to get the key, they do know the password, they know everything your server knows
-
tmolitor
Yes
-
singpolyma
Certainly a full box pwn is not defenible✎ -
moparisthebest
So... Channel binding provides *no more* protection than key pinning...
-
singpolyma
Certainly a full box pwn is not defensible ✏
-
Zash
Congratulations on your irrefutible proof that security is impossible.
-
tmolitor
But that's not the typical mitm but a direct attack on the server followed by a mitm like impersonation...
-
singpolyma
> Congratulations on your irrefutible proof that security is impossible. Classic blue team ↺
-
singpolyma
tmolitor: I think the point is that without such a full pwn key pinning also is sufficient to defend
-
Zash
Better dust off my very smol screwdrivers and get back to repairing mechanical clocks.
-
moparisthebest
Roughly you should always do key pinning if you can and always do channel binding if you can
-
singpolyma
Though I agree both is good
-
tmolitor
> So... Channel binding provides *no more* protection than key pinning... No, that's wrong...your claim is only true in the case that the attacker has access to the server's disk...then both of them offer the same security: exactly none
-
moparisthebest
tmolitor: correct, how else would they get your private key though
-
Zash
Becasue we no longer care about all the more likely scenarios where the attacker isn't also your infa provider?
-
Daniel
Maybe we need a flag for the server to instruct the client to pin the key
-
Daniel
I mean that worked well for HTTP
🤣️ 1 -
tmolitor
> tmolitor: I think the point is that without such a full pwn key pinning also is sufficient to defend No it is not, key pinning does not detect if the mitm knows the servers TLS key but not the password hash...
-
singpolyma
> Maybe we need a flag for the server to instruct the client to pin the key Sure, it's called TLSA record ↺
-
tmolitor
> Maybe we need a flag for the server to instruct the client to pin the key > > I mean that worked well for HTTP It worked that well that they removed that feature from browsers :(
-
moparisthebest
>> Maybe we need a flag for the server to instruct the client to pin the key > Sure, it's called TLSA record And host-meta-2 ↺
-
singpolyma
tmolitor: I think it's back again with http 3 maybe. But yes
-
Zash
> Sure, it's called TLSA record Surely in moparisthebest scenario, the attacker also owns the DNSSEC root keys and can issue any TLSA record they want! ↺
-
singpolyma
>> Sure, it's called TLSA record > And host-meta-2 Please no ↺
-
tmolitor
Yes, I'd love to see tlsa support in clients...
-
moparisthebest
>> tmolitor: I think the point is that without such a full pwn key pinning also is sufficient to defend > No it is not, key pinning does not detect if the mitm knows the servers TLS key but not the password hash... I agree, now how could this possibly happen? I don't think it can ↺
-
singpolyma
tmolitor: I have it
-
singpolyma
>> Sure, it's called TLSA record > Surely in moparisthebest scenario, the attacker also owns the DNSSEC root keys and can issue any TLSA record they want! If your DNS server is also your xmpp server I guess so ↺
-
tmolitor
Great, my server has it too, even with rolling keys...
-
Daniel
> Yes, I'd love to see tlsa support in clients... Dito
-
singpolyma
Daniel: I can send you a PR 😉
-
moparisthebest
Now when are all the .im servers going to change domains? That's easy in XMPP right? 💀
-
tmolitor
moparisthebest: it can...the same cert and key are frequently used on different servers or services...attacking one of these servers/services will give you the key, but not the password hashes
-
singpolyma
moparisthebest: I have most of a workaround for that
-
Zash
singpolyma, bringing back lookaside-validation? :)
-
tmolitor
Even heartbleed would have given you the key but not the password...
-
singpolyma
Zash: either better or woreise depending hiw you feel but similar
-
moparisthebest
tmolitor: people copy keys between servers? 😱
-
Daniel
> Daniel: I can send you a PR 😉 I need to fix my DNSSEC implementation first
-
moparisthebest
singpolyma: how do you work around it and is it better than host-meta-2 🤣
-
singpolyma
Daniel: i upgraded to latest of your DNS dependency and it's working well so far
-
singpolyma
moparisthebest: the .im service has to srv to a different tld and then I have a list of well known srvs to check against for that step, normal DNSSEC after
-
singpolyma
Works for yax.im
-
moparisthebest
singpolyma: wait that sounds like you are enabling trivial MITM for it?
-
singpolyma
How?
-
moparisthebest
What if evil DNS server responds with "use DNSSEC from evil.com to get the TLSA for yax.im" ?
-
singpolyma
Then it won't match my well known srv list so won't verify
-
moparisthebest
Can you link to the code or a doc or something?
-
singpolyma
It's in both certwatch and cheogram-android. Its obviously not ideal because it only works for known services, but I still think that's better than nothing
-
tmolitor
singpolyma: but then server admins won't be able to change their srv entries to point to another domain...
-
singpolyma
tmolitor: right. They can change IPs and TLSA and stuff, but if srv changes it'll stop verifying.
-
tmolitor
> tmolitor: people copy keys between servers? 😱 Yes, some people do that. Or use the same cert for different services on the same host...
-
tmolitor
So its essentially srv pinning
-
moparisthebest
Same cert for multiple services on the same box is fine though, that's what I do :P
-
moparisthebest
singpolyma: is it one list or a list per host? Anyway still not a generic solution that works across clients/servers or for all services on .im like host-meta-2
-
singpolyma
Definitely not generic but a generic solution isn't possible
-
singpolyma
host-meta-2 can't be used for key pinning on .im either
-
singpolyma
How would you even fetch the host meta file safely?
-
moparisthebest
host-meta-2 explicitly can be used to pin for .im and everything, you grab it over https
-
singpolyma
And how do you pin the https key?
-
moparisthebest
With good domains, Dane/TLSA, with .im you don't, it's still a big improvement
-
singpolyma
So with .im it's identical to no key pinning. Like I said
-
moparisthebest
Not at all
-
Zash
You get some sort of 'TOFU by LE
-
singpolyma
You're banking in what, an attacker who can mitm xmpp but not https?
-
Zash
None of this beats the jabber.ru hack✎ -
Zash
None of this https stuff beats the jabber.ru hack ✏
-
singpolyma
Proper dane does, no?
-
moparisthebest
MITM'ing your personal DNS right now: easy MITM'ing LE's DNS across multiple geographically and provider seperate systems months ago: very hard
-
moparisthebest
> None of this https stuff beats the jabber.ru hack Zash: it does with long enough pinning times, actually even with 1 day people would have noticed day 1 their login stopped working ↺
-
Zash
MITMing HTTP-01 just in front of the machine: Easy, and then serving whatever pinned key you want over https is equally easy.
-
singpolyma
moparisthebest: if I can trust an LE cert then I dont need pinning at all. The whole pont is i cannot
-
Zash
HTTP-01 and then waiting a month doesn't make it harder
-
singpolyma
> MITMing HTTP-01 just in front of the machine: Easy, and then serving whatever pinned key you want over https is equally easy. This ↺
-
moparisthebest
> MITMing HTTP-01 just in front of the machine: Easy, and then serving whatever pinned key you want over https is equally easy. Not possible when your caa record forbids http-01 ↺
-
singpolyma
Rure, if you want to trust LE that's fine but then pinning isn't needed
-
moparisthebest
> moparisthebest: if I can trust an LE cert then I dont need pinning at all. The whole pont is i cannot singpolyma: trusting one *now* (from anywhere you might connect) is much different than trusting one you got weeks/months ago ↺
-
moparisthebest
It would have prevented the jabber.ru one for example
-
singpolyma
How could it possibly?
-
moparisthebest
There is no "perfect" here, it's all layers that make it slightly better
-
singpolyma
It would do nothing in the jabber.ru case
-
moparisthebest
singpolyma: people who had already connected would have had the key pinned and not trusted the new key
-
singpolyma
What?
-
singpolyma
They check the host meta and see a new key there
-
singpolyma
So use new key
-
Zash
Or check host meta and see both the old and the new, possibly varying depending on targeting.
-
Zash
If DNS MITM is so easy, just do it to the CAA record. It's probably hosted on the same infra as the VM anyway.
-
moparisthebest
singpolyma: you don't grab the host-meta after the mitm because you already have it cached (TTL) so you fail to connect
-
singpolyma
Until the ttl expires
-
moparisthebest
Sure, but that's enough to instantly detect the MITM