Gajim - 2023-12-12

Even with using gajim on xp on known xmpp servers can attack sending a sta za exploiting some underlying xp library gajim will call (emoji rendering, http download many others

So please stop promoting windows xp

As of hardware you can use a unix derivate with recent security updates if you still.like the old hw

danielstein: > emoji Heresy. Legacy systems don't even support 4-byte Unicode.

BTW, they often are a cause of vulnerabilities on different systems last years, because they are overcomplicated. So I would strip them out server-side at all and teach users to use ASCII smileys. Many websites using the utf8mb3 encoding in the database still don't support emojis anyway. Should I post a ticket for removing emoji support in Gajim, so it won't be a complete off-topic? ×DDDD

danielstein: and the problem of combining old hardware with new software is that new software is too bloated for old hardware. And less bloated enthusiast FOSS projects don't receive that much bug-hunting attention.

So despite something like links2 is still updated and did even receive WebP support recently, I wouldn't be sure it lacks severe vulnerabilities. The downside is that they're barely searched there as well, and exploit packs don't cover non-typical software. Untraceable Joe.

Well… ×DD https://linuxsecurity.com/advisories/debian/debian-dsa-2807-1-links2-security-update

> Should I post a ticket for removing emoji support in Gajim, so it won't be a complete off-topic? ×DDDD Actually, given the reason to deprecate and remove XHTML support is concocted out of thin air with similar arguments, I won't be surprised it would gain traction, hehehe.

https://im.ebala.net:5821/upload/6xeGhyxX9u2swqx5-xQSMkUW/Screenshot%202023-12-12%20at%2013-21-19%20Emoji%20Shellcoding%20%F0%9F%9B%A0%EF%B8%8F%20%F0%9F%A7%8C%20and%20%F0%9F%A4%AF%20-%20DEF%20CON%2030%20-%20Hadrien%20Barral%20-%20Emoji%20Shellcoding%20%F0%9F%9B%A0%EF%B8%8F%20%F0%9F%A7%8C%20and%20%F0%9F%A4%AF%20-%20Presentation.pdf.png

> Legacy systems don't even support 4-byte Unicode. ↑

bodqhrohro: stay on topic. This is a gajim support chat.

cal0pteryx: Gajim has an emoji picker.

That's a problem.

Please take your ramblings elsewhere

https://dev.gajim.org/gajim/gajim/-/issues/11722

bodqhrohro: What's your goal here?

To get on my nerves and getting banned?

Because that's the way this is going

lovetox: my goal is to bring to light you're acting in an authoritarian way and not listening.

bodqhrohro: You and one guy from Conversations group should team up. Two security retards that would strip everything from the apps.

Go make a fork without emojis then and get lost.

Geld: lol no, I'm not a security retard, I'm a troll mocking the security retards. It would be even more hilarious if they take this for serious. (And I see no reasons they shouldn't, given the rationale is pretty the same as for XHTML-IM: it *may* be implemented in an insecure way, so it's better to deprecate it at all so no one is seduced to implement it in a simple and dangerous way lol.)

bodqhrohro: you are wasting our time. Last warning.

> Immaculate Taste: use Windows XP, it's not as full of spyware as modern versions are. > > Gajim 0.16 worked there for sure, not sure about newer versions. Very secure ™️

Immaculate Taste: please leave it alone

>> can you give me the adress of that onion service https://conference.gajim.org:5281/pastebin/0aa8f519-351f-4205-9125-86a1cc40c91b

lovetox: the message above is for you.

no not yet,

did you give me the onion adress for testing?

you used to be able to sign onion domains idk what happened to that

https://walla.rneetup.com:5281/file_share/11794af3-8cbf-44f3-bb39-46f6cd4811e1/uBGD3-wJTeWopXRMFKPGXg.jpg

o ye they there

this mornings breakfast is biscotti yogurt with coffee

> did you give me the onion adress for testing? lovetox: I can create an account for you. S2S is disabled

i dont need an account for connecting

just give me the address

beduk, https://security.stackexchange.com/a/105647

Every single article I have read on this says you are wrong

soooo

have you got any links to an explanation on how tor doesn't require any encryption

cause I can't find a single one

the connection to the onion server does not leave the tor network via exit node

oh...

and that finally explains it, thanks :)

how do I check which XEP are supported on any given server via gajim?

like is there a way to query my server and say "do you support this feature"?

Accounts -> Server Info works for the server you're connected to

Not sure if it can be done for any arbitrary remote server

aah, just found that

but it doesn't list XEP-0357 PUSH notifications

doesn't say it's there or not there ssweeny

Might have to PR in support for it? Or hand-write the XMPP stanza into the XML console 😅️

Looks like Conversations checks for it so it should be possible

ssweeny, no Paul Gupta, no Server Info does only show things that Gajim wants, that the server supports

as Gajim does not need push notifications, it also does not check this for the server

fair enough

so server info dialog is not useful for that info

I was wondering if there's a raw XML command that I can send the server that sends back a report of XEP enabled

https://compliance.conversations.im/about/ << This is doing *something* similar I'm sure to test that

yes use that site, its exactly for that purpose

yeah, I just was curious how *I* can run that test

not easily because the site runs many tests

there is something called disco info

you can craft a stanza that will give you *some* info

but why would you do that if that site does it for you

https://xmpp.org/extensions/xep-0357.html#sect-idm45584195739856

here its described in examples how to query for protocol support

Hm... I am getting request entity too large uploading a 2MB file, but http upload is 1GiB, I assume 413 is being returned by the http server?