-
moparisthebest
a poor user in dino muc just linked https://wiki.xmpp.org/web/Easy_Group_Chats and cited: > This is not suitable for modern mobile messengers and asked what was.... can we just remove that from this wiki entry or ? I don't know who wrote it originally, it says Georg restored it from backup, maybe MattJ ? :/
-
lovetox
moparisthebest, what does not work here on mobile?
-
lovetox
or does the user mean, on his mobile client group chat behaves not like in this article?
-
Menel
Looked for me as if that documents what conversations basically does
-
MattJ
It wasn't me
-
dwd
> You can't trust anything from the plaintext before the TLS handshake > > And even if you wrote bad code to do this, from is often not set? Well, it's not trusting, as such, and from is set often enough that we can use it. Metre will reject sessions that change their mind between the from and the sasl external, too, so if they lie before the TLS handshake, they won't get far.
-
moparisthebest
> moparisthebest, what does not work here on mobile? lovetox:✎ ↺ -
moparisthebest
> moparisthebest, what does not work here on mobile? lovetox: I think it all does, which is why I think we should remove that misleading statement saying it doesn't ✏ ↺
-
moparisthebest
>> You can't trust anything from the plaintext before the TLS handshake >> >> And even if you wrote bad code to do this, from is often not set? > Well, it's not trusting, as such, and from is set often enough that we can use it. Metre will reject sessions that change their mind between the from and the sasl external, too, so if they lie before the TLS handshake, they won't get far. dwd: also enables a MITM to silently get you to reject their connection that way, granted only if they could already just prevent it all together either way servers shouldn't be setting from= and leaking info in plaintext, which servers do that so I can file bug reports? :) ↺
-
singpolyma
It's hardly a "leak" at the s2s level, one can see where the connection is coming from
-
moparisthebest
It's a leak, what does where it's coming from mean? Could be over Tor
-
singpolyma
I suppose one could do s2s over tor. If you had a threat model shaped like that then it could be a leak
-
moparisthebest
It's not about threat models https://www.rfc-editor.org/rfc/rfc7258 we should not leak data that doesn't need leaked to these attackers
-
qwark
Hello