XSF Discussion - 2024-06-02


  1. moparisthebest

    a poor user in dino muc just linked https://wiki.xmpp.org/web/Easy_Group_Chats and cited: > This is not suitable for modern mobile messengers and asked what was.... can we just remove that from this wiki entry or ? I don't know who wrote it originally, it says Georg restored it from backup, maybe MattJ ? :/

  2. lovetox

    moparisthebest, what does not work here on mobile?

  3. lovetox

    or does the user mean, on his mobile client group chat behaves not like in this article?

  4. Menel

    Looked for me as if that documents what conversations basically does

  5. MattJ

    It wasn't me

  6. dwd

    > You can't trust anything from the plaintext before the TLS handshake > > And even if you wrote bad code to do this, from is often not set? Well, it's not trusting, as such, and from is set often enough that we can use it. Metre will reject sessions that change their mind between the from and the sasl external, too, so if they lie before the TLS handshake, they won't get far.

  7. moparisthebest

    > moparisthebest, what does not work here on mobile? lovetox:

  8. moparisthebest

    > moparisthebest, what does not work here on mobile? lovetox: I think it all does, which is why I think we should remove that misleading statement saying it doesn't

  9. moparisthebest

    >> You can't trust anything from the plaintext before the TLS handshake >> >> And even if you wrote bad code to do this, from is often not set? > Well, it's not trusting, as such, and from is set often enough that we can use it. Metre will reject sessions that change their mind between the from and the sasl external, too, so if they lie before the TLS handshake, they won't get far. dwd: also enables a MITM to silently get you to reject their connection that way, granted only if they could already just prevent it all together either way servers shouldn't be setting from= and leaking info in plaintext, which servers do that so I can file bug reports? :)

  10. singpolyma

    It's hardly a "leak" at the s2s level, one can see where the connection is coming from

  11. moparisthebest

    It's a leak, what does where it's coming from mean? Could be over Tor

  12. singpolyma

    I suppose one could do s2s over tor. If you had a threat model shaped like that then it could be a leak

  13. moparisthebest

    It's not about threat models https://www.rfc-editor.org/rfc/rfc7258 we should not leak data that doesn't need leaked to these attackers

  14. qwark

    Hello