Gajim - 2023-10-21

dabbled in the code for a bit. installing `gir1.2-gsound-1.0` and friends solved the problems of sounds not playing from inside gajim. ✏

>I'm on debian and pretty vanilla up to now. report that to them then

gsound is an optional dependency of gajim. That's why gir1.2-gsound-1.0 is only a recommended dependency of gajim in Debian. https://packages.debian.org/bookworm-backports/gajim

yeah and recommended dependencies get installed automatically

except you specify specifically not to install them

at least that was what i heard

> yeah and recommended dependencies get installed automatically This is configurable. "Recommends are installed by default (since Lucid)." which is ubuntu 10.04. from https://askubuntu.com/questions/18545/installing-suggested-recommended-packages ✏

I have been trying Gajim with tor proxy it all appears to work OK for messages but my wife tried to send a photo to me and it fails with error Hostname xmpp-upload.###### not verified: xmpp-upload is configured correctly and the cert is valid, removing tor proxy and there is no error and xmpp-upload works fine. Not really an issue for me as I was just trying tor but it may be for others. ✏

I had problems with gajim with torsocks, which I believe was related to the fact that dns doesn't work with torsocks. Don't know if it's related. ✏

23, can you poste full error message

"not verified" never heard of that

> Hostname xmpp-upload ##### not verified: > certificate: sha256/6gD0q1mu0qC66Nmu6IUgJ3dS7EAjHopHwlRp24G####= > DN: CN=###### > subjectAltNames: [#####]

23: I got the same error with xmpp.is onion only account. But if I try other clearnet account over gajim proxy, it works. I'm on gajim 1.5 from devuan oldstable backports. Direct transfer never workd when connected to gajim proxy. ✏

23: seems not like a gajim error

At least I never saw it and know no code that prints cert details

Is this a dialog? Do you see that in the log file?

What are the log lines before that?

The error message was on the senders phone using conversations nothing on Gajim at my end.

ok why are you telling us then?

lovetox: that's funny :)

Err because the error is caused by gajim using tor proxy

ru connecting to an onion domain or clear domain?

Guys, You know everybody is talking about jabber.ru attack that could been prevented if the client had an option like 'Don't trust system CAs' from Conversations. ✏

Guys, you know everybody is talking about jabber.ru attack. Attack that could been prevented if the client had an option like 'Don't trust system CAs' from Conversations. ✏

Guys, you know everybody is talking about jabber.ru attack. Attack that could have been prevented if the client had an option like 'Don't trust system CAs' from Conversations. ✏

Guys, you know everybody is talking about jabber.ru attack. Attack that could have been prevented at the client level if the client had an option activated like 'Don't trust system CAs' from Conversations. ✏

🤔

Basicly, you are warned about a manual unverified certificate when you connect. Do you know if Gajim has such an option available?

it should by default

On Conversations is not the default.

wym

if the cert is invalid

it won't connect

I don't mean Self Sign certificate

I mean a good certificare sign by let's encrypt

any kind of invalidation

you mean distrust all certs until manually verified?

fjklp: yes, thank you. ✏

> you mean distrust all certs until manually verified? fjklp: yes, thank you. ✏

neat idea

distrust all until manually verified doesn't hint if the cert was valid on x509

on conversations which is bad design imo

> you mean distrust all certs until manually verified? Conversation has this option. You have to manualy enable it. Does gajim has something like that? ✏

> you mean distrust all certs until manually verified? Conversation has this option. You have to manualy enable it. Does gajim has something like that? Would mitigate this attack at the user level. ✏

> you mean distrust all certs until manually verified? Conversation has this option. You have to manualy enable it. Does gajim has something like that? ✏

https://notes.valdikss.org.ru/jabber.ru-mitm/ That was the problem.

If you can distrust all certs until manually verified, you could mitigate this kind of attack.

the mitm forgot to setup certificate renewal lol

that's funny

or didn't care to

or intentionally chose not to

And the binding channels don't work on tls1.3 ✏

this is one way to disclose that there was a mitm attack without saying it

> or intentionally chose not to I don't know. He is the admin. The allready could do mitm. ✏

imagine it was lawful intercept but was forced to be performed by the hosting company and they wanted to let it be known

hetzner works with German authorities I'm sure they had a good reason to mitm the server tbh

> imagine it was lawful intercept but was forced to be performed by the hosting company and they wanted to let it be known That's what happend most likely.

maybe connect to a server that supports Tor? that way u don't have to worry about tls issuss

> hetzner works with German authorities I'm sure they had a good reason to mitm the server tbh If you use OMEMEO, your history is protected with PFS. If you disable server archiving, nobody can get your contacts. Even if someone gets your contacts, the attacker device is automaticly set to untrusted. The only thing he can do is to read your private messages from channels and impersonate you on those channels.

gajim having its own certificate transparency log for the xmpp domain would be nice

But if you enable 'Don't trust system CAs' from Conversations, then you should get a warning that the malicious( verified ) certificate is unknown. ✏

Even better if you have stored the fingerprint and expiration date of the certificate of the xmpp server on which you have the account. ✏

> maybe connect to a server that supports Tor? that way u don't have to worry about tls issuss Should be onion only. And a tls certificate won't hurt there also.

> gajim having its own certificate transparency log for the xmpp domain would be nice Yea. It would be.

> If you can distrust all certs until manually verified, you could mitigate this kind of attack. lovetox: do you know something about that?

there is no such option

also this would mean you get all 3 months a warning that the cert changed

meaning you will constantly review certificates, until you get tired one day and simply click accept :)

its much easier to simply use OMEMO, that what end 2 end encryption was invented for

real asf

when is omemo 2 coming to gajim?

lovetox: If your persona behind the xmpp acout has some presence, would be a problem of impersonating in channels. Big problem.

i dont see how this is related to tls certs

> meaning you will constantly review certificates, until you get tired one day and simply click accept :) lovetox: I really wish such an option will be added. I won't get tired and click accept, never. > i dont see how this is related to tls certs https://notes.valdikss.org.ru/jabber.ru-mitm/ That was the problem.

i know the incident, but what you said made no sense, no option in Gajim will prevent that other people can impersonate you

ye but also remember the xmpp client doesn't validate s2s certs

so it would be the best bet just to manually verify omemo keys

> Guys, you know everybody is talking about jabber.ru attack. Attack that could have been prevented at the client level if the client had an option activated like 'Don't trust system CAs' from Conversations. lovetox: if you have the time and you could read from there.

> i know the incident, but what you said made no sense, no option in Gajim will prevent that other people can impersonate you lovetox: ok if you read

>> i know the incident, but what you said made no sense, no option in Gajim will prevent that other people can impersonate you lovetox: ok if you read. And you know about the incident ✏

> i know the incident, but what you said made no sense, no option in Gajim will prevent that other people can impersonate you lovetox: ok if you read. And you know about the incident ✏

i dont say your feature request is not valid. I just want to tell you that your best way is to use end 2 end ecryption, not hoping for some TLS features to get implemented

> meaning you will constantly review certificates, until you get tired one day and simply click accept :) > its much easier to simply use OMEMO, that what end 2 end encryption was invented for I don't see this as any argument against. OMEMO without verifying keys is mostly security theater, which is probably most people who use it. So yes, most people will not want to verify TLS certificates manually just as they don't verify OMEMO keys. That really shouldn't prevent the option from existing.

fjklp, one needs to be verified on regular basis, the other only once.

the argument is, there is a better solution, no reason to implement a worse one

many chats will not use e2e encryption and I'd like to be able to trust TLS

no e2e, no mitm protection, simple as that

lovetox: I know the admin of the server can do mitm anytime. But such option could prevent some really powerfull attacker/attack (like this one ) from doing this kind of mitm. I was talking about the problem and solution on other channel. And users ask of Gajim has such an option. Those users, me also, we will be verry happy with such option. An never get tired of it. It's an amazing way for users to verify if the server is under attack and much more. ✏

lovetox: I know the admin of the server can do mitm anytime. But such option could prevent some really powerfull attacker/attack (like this one ) from doing this kind of mitm. I was talking about the problem and solution on other channel. And users asked if Gajim has such an option. Those users, me also, we will be verry happy with such option. An never get tired of it. It's an amazing way for users to verify if the server is under attack and much more. ✏

how do you verify that? So gajim shows you the cert is not the same as last time, whats your next step?

lovetox: I know the admin of the server can do mitm anytime. But such option could prevent some really powerfull attacker/attack (like this one ) from doing this kind of mitm. I was talking about the problem and solution on other channel. And users asked if Gajim has such an option. Those users, including me, we will be very happy with such an option. And never get tired of it. It's an amazing way for users to verify if the server is under attack and much more. ✏

But if you run your own server are you not the mitm in other words the only advantage with omemo is encryption when on o remote server, over the net message are encrypted by TLS

> how do you verify that? So gajim shows you the cert is not the same as last time, whats your next step? It's from other issuer ( like this one)? Going on the website to verify the new fingerprint if it is posted. Asking the admin of the server via pgp mail. Most likely. ✏

> how do you verify that? So gajim shows you the cert is not the same as last time, whats your next step? It's from other issuer ( like this one)? It's renew sonner then expected? Going on the website to verify the new fingerprint if it is posted. Asking the admin of the server via pgp mail. Most likely. ✏

> how do you verify that? So gajim shows you the cert is not the same as last time, whats your next step? lovetox: It's from other issuer ( like this one)? It's renew sonner then expected? Going on the website to verify the new fingerprint if it is posted. Asking the admin of the server via pgp mail. Most likely. ✏

> how do you verify that? So gajim shows you the cert is not the same as last time, whats your next step? lovetox: It's from other issuer ( like this one)? It's renewed sonner then expected? Going on the website to verify the new fingerprint if it is posted. Asking the admin of the server via pgp mail. Most likely. ✏

the best case I imagine is that the server admin mass-omemo messages the users, maybe only those subscribed to receive this message, with a notice of the fingerprint of the new cert. This might require a special script to send this before the new cert is issued, so that the message can be sent. Then cert is updated. Gajim detects cert change, if manual verify is enabled then show dialog requiring pressing 'Approved' button, then gajim accepts cert and connects.

> how do you verify that? So gajim shows you the cert is not the same as last time, whats your next step? lovetox: It's from other issuer ( like this one)? It's renewed sonner then expected? Going on the website to verify the new fingerprint if it is posted. Asking the admin of the server via pgp mail. Most likely. ✏

to the website? connecting via https? of course with system ca enabled, otherwise you could not really browse the web anymore, webserver is of course in 99% in the same datacenter, probably on the same machine

and yeah of course you dont connect to the server anymore, until the admin answered your PGP email

and the Admin really likes to answer 100 PGP emails every 3 months when he renews the cert

I wanted to add. Most likely I make another quick account.

When an attack happens it is probably sonner then expected.

what you describe are steps that you can do once in 2 years

you will not go through that every ~3 months

you have no clue where to get the fingerprint, other than writing an email

sorry that sounds like a very bad process

Probably I would still connect

And ask the admin

And change the password afterwords in case of something

I would do that every 30 days even.

yeah ok, i will count the people that come here and want to do that

But if the certificate is renew sonner then expected, or from other issuer, then thats the moment when Im worried

if we reach 10, i add a issue on the tracker for the feature

I'm one.

fjklp 2

? fjklp did not say he would use that

I might

admittedly, I need to think about how much this solves and how much attack surface is left open

like I said, the admin mass-messaging new cert fingerprint with omemo for people who want it seems fairly graceful

dryan, do you use conversations?

lovetox: right now, yes

so, problem solved or? once device that notifies you is probably enough

But I use gajim most of the time

And on accounts that I do sensitive stuff, I only use Gajim

Philipp Hörist pushed 1 commit to branch _refs/heads/master_ of _gajim_ < https://dev.gajim.org/gajim/gajim >: *85dfba63* < https://dev.gajim.org/gajim/gajim/-/commit/85dfba6322f8dcca6c45919daa39cfdb14f7f923 > feat: Display composing participants in MUC chat banner

> Look at this attack with jabber.ru. the certificate was malicious but verified like was not. With the option C2 has, you can see that the cert it is renewd sonner then expected. Or verified by a different issuer. So, I think it helps. > Then you come in a public room and ask the admin. The question and the response will remain available for everyone to see. > NOT ME - Open an issue I guess, but better for channel binding support > Menel: I mean for sure chanel binding is the way to go. The dev said he will open one himself if 10 users come and ask for it. Otherwise will not be implemexnted. > Would you help guys? Just come and say. I want the future. > NOT ME: I think the dev maybe has enough on the plate. Conversations is online nearly 24/7 and has regular reconnects because of switching networks. That's a much better watchdog then gajim, isn't it? > Yea. You are right. I'm deeply greateful for people that volunteer to work so much. And I respect then and their time. lovetox fjklp 23 umu

before you ralley now people and send them here, open the issue on the tracker