Movim 0.24, codename Mueller is out. Let's dive in all the new exciting things that you can find in this new release!

What's new?

XEP-0386: Bind 2, XEP-0388: Extensible SASL Profile and XEP-0474: SASL SCRAM Downgrade Protection

Movim was definitely not the first one integrating those XMPP extensions but their implementation finally brings a much modern authentication stack to the project.

Bind 2 and Extensible SASL Profile greatly simplifies the authentication flow allowing Movim to connect (and reconnect) even faster, don't worry the older method is still there and will allow you to connect on #XMPP servers that don't support yet this new mechanism.

SASL SCRAM Downgrade Protection is a small security layer that sits on top of SASL (the authentication framework used by XMPP) to prevent channel-binding downgrades attack during the handshakes methods. It starts to be enforced by several servers nowadays such as ejabberd.

We would like to thank fabiang that did an awesome work on the #PHP #SASL library to add the SCRAM Downgrade Protection to it and allow a proper integration of the feature in Movim. Thanks!

Complete page navigation loading refactoring

You may not have seen it but a big #refactoring work was done under the hood to greatly simplify the navigation system in Movim.

This allows you to have a working and reliable "back-button" experience across the user interface. It is actually especially noticeable on mobile where the back button is used a lot to switch between the different UI elements (drawers, pages, sliders...).

This refactoring also fixed a few important bugs regarding the user interface internal events that were creating weird behaviors. For example, in some cases, when you were loading several time the same page in a row, the same event was attached several time to some buttons creating an mess when clicking on it.

And finally the browser - server connection (that relies on a Websocket) was also refactored and simplified fixing numerous connectivity bugs that we had until now.

Changes when publishing an article

The post publication form was slightly reorganized. The post privacy toggle was more clearly defined and another one, to disable comments and like, was added next to it.

Interface improvements

Since its big rewrite in 2014 Movim always relied on the Google #Material Design system. This version continue the integration of Material 3 with the redesign of the search and chat boxes as well as small forms and buttons details.

A new placeholder was also added when starting a new chat allowing you to quickly add the user to your contact list or block him.

Other fixes and improvements

A few #OMEMO bugs were also fixed, especially the bug #1261 that was preventing Movim users to decrypt their own messages in chatrooms.

We also fixed an annoying video-conferencing bug (#1274) that was preventing Movim to accept some specific audio and video calls. This allows Movim to process calls properly coming from #SIP bridges and to connect with SIP clients like Linphone !

We would like to especially thanks toastal for his several contributions to the project including internal image size picture management, a big refactoring of the internal language management system and some more minor interface and performances fixes.

What's next?

This version prepared the last important bricks required to introduce the early steps of the big audio and video-conferencing refactoring, especially with all the navigation and interface internal events management that was done the past few releases.

We will tell you more about it soon, stay tuned!

In the meantime, please share the good news around you and don't forget to update your server if you're an admin!

That's all folks!

Hahahahaha huehuehue j'ai enfin réussi à faire utiliser XMPP à mon copain

Ce qui veut dire que je peux enfin installer Arch Hurd ou ce que je veux en fait sans avoir besoin du téléphone de ma mère (vu qu'il me faut une carte SIM et un smartphone pour utiliser Signal)

On avait un Chaton un peu bootlegged à un moment donné, pour le dire poliment, qui ne permettait pas les appels sur #XMPP, donc il était resté pendant une semaine au Maroc sans nouvelles

Sans surprise ce Chaton privilégiait #Matrix comme point de contact, parce que soit t'es carré et (1) tu dis à tes utilisataires sous XMPP que ton serveur ne gère pas les appels, (2) tu promeus des protocoles de communication bien conçus, (3) t'arrêtes de faire ton vicos et tu te rends compte que l'optimisation pour l'engagement, même pour des logiciels libres/open source, est inacceptable et tu refuses de la promouvoir, soit t'es une personne peut-être adorable, peut-être conne comme ses pieds, mais qui promeuvra des logiciels qui coooomme par hasaaaard implémenteront des protocoles non sécurisés et qui mettront en place des équipes pour optimiser pour l'engagement (parce que ses développeur·euses sont des déchets, je veux dire c'est un fait, quand on tire ses utilisataires vers le bas pour avoir de l'argent et une couverture médiatique, on est un déchet)

Et je ne veux pas dire par là que tou·tes les développeur·euses et mainteneur·euses d'infrastructure sur #ActivityPub ou Matrix seraient des déchets, pas du tout !

Par exemple, Christine Weber est une femme que j'admire, elle a donné une conférence au MIT sur son projet Spritly devant l'un des rédacteurs de SICP (un livre à peu près aussi légendaire en programmation qu'Evangelion en anime), bah elle a acheté un MNT Pocket Reform pour avoir un ordinateur de la taille de son sac à main, sur un coup de tête, et elle a assumé sans vraiment l'assumer avoir mis tout son argent sur un coup de tête.

Je l'admire et elle est vraiment talentueuse, mais elle est pas carrée, et c'est pas un reproche, elle ne me doit rien, mais c'est un fait

J'veux dire Eugen Rochko commençait ses journées à 13h à un moment, ça ne l'empêche pas de réussir sa vie pour le moment, mais c'est pas carré, encore une fois

Ariadne Connil était la cheffe de la sécurité de Pleroma, elle a quitté le projet car… le projet évoluait entre “liberté d'expression” (freeze peach) et liberté logicielle, læ lead developer a fini par choisir le freeze peach, donc son logiciel a été forké, notamment avec Akkoma

Bah ses billets de blog sur la FSF montrent bien, AMHA, que la communication confuse et un peu arborescente de cette organisation nous tire vers le bas, à un titre purement personnel, on essaie de mettre de l'ordre dans nos vies (ce qui est un peu l'étymologie du mot “ordinateur”, mais je me répète) et franchement, les recommandations du projet GNU de mettre du firmware propriétaire lors d'install parties avec un masque de diable n'aident pas vraiment, elle essaie d'être carrée depuis des années mais je ne sais pas si elle commence à y arriver ou pas

Donc je dis pas ça contre ces personnes encore une fois, le capitalisme et la destruction de notre environnement tournent à des achats compulsifs, des veillées trop longues (hohoho), du manque de sommeil, des appartements plus ou moins crades, des devoirs rendus en retard, etc. Quelle civilisation !

Je veux dire, tout le monde est plus ou moins dans ce cas de figure. Je ne veux pas critiquer ce protocole par association avec les bénévoles qui le maintiennent.

Mais ce protocole. n'est pas. carré.

Les personnes sur Matrix ne sont pas carrées. (Et l'optimisation pour l'engagement les tire bien évidemment vers le bas, mais c'est une autre histoire.)

J'ai tenté pendant des années (oui c'est un rant) d'utiliser des logiciels carrés, libres, respectueux de ma vie privée, etc. car c'était à peu près le seul aspect de ma vie que je maîtrisais, et car je me rendais bien compte, sans en avoir tout à fait conscience, que je pourrais étendre cette rigueur au reste de ma vie personnelle. Ça a vraiment commencé en lisant Absolute OpenBSD, et faire des sauvegardes avec rsync(1) était tout ce qui me manquait pour avoir confiance en moi.

Bref.

https://peculiar.florist/notes/9q8io2cwcgtf02ru

We need your help! In our experience, onboarding #iOS users to #XMPP is inconvenient right now compared to Android - there is no #Quicksy like phone number/SMS OTP sign up. Developing a convenient and easy-to-onboard XMPP iOS app is one of our top priorities.

Help us and the whole XMPP ecosystem by contributing to the #Prav iOS app fundraiser at the following link 👉 https://opencollective.com/prav-ios. Prav iOS app will be Free/Libre Software[1] following our track record of transparency and privacy.

Due to network effects, a messaging app is not just a personal choice and even a single contact of yours having iOS can affect wider adoption of XMPP (we also don't like #Apple but we feel this is an essential step for adoption of XMPP by people outside the Free Software circles).

Remember that whatever be the amount, every donation counts 🙂

[1] https://www.gnu.org/philosophy/free-software-even-more-important.html

#Introduction time. My name is Ravi and I am from India. I am a #freesoftware and #privacy activist. I am a part of #prav (https://prav.app), a chat app focused towards mass adoption of #XMPP.

I have studied postgraduate in #mathematics from Indian Statistical Institute, Kolkata and I currently work as a freelancer at artofproblemsolving.com. Additionally, I contribute to #debian, #openstreetmap and #libreoffice.

I blog at https://ravidwivedi.in . Hope to meet nice people here.

Daniel Gultsch: "Der Angriff auf jabber.ru und mögliche Gegenmaßnahmen"

When? Wednesday, 2023-12-13 18:00 CET (always 2ⁿᵈ Wednesday of every month)

Where? In xHain hack+makespace, Grünberger Str. 16, 10243 Berlin

This time it is a face-to-face meeting. Find out about a recording at our virtual meeting place xmpp:berlin-meetup@conference.conversations.im?join.

#Jabber #XMPP #freeSoftware #community #xHain #Berlin #meetup #community #jabberRU #security #MitM

Pueden probar Movim en https://movim.undernet.uy para usar sus cuentas existentes #xmpp #movim #chat #im

MattJ talks about "Spam, Abuse and Moderation"

When? Wednesday, 2023-11-08 18:00 CET (always 2ⁿᵈ Wednesday of every month)

Where? In xHain hack+makespace, Grünberger Str. 16, 10243 Berlin

This time it is a hybrid meeting. Find out about our Jitsi at our virtual meeting place xmpp:berlin-meetup@conference.conversations.im?join.

#Jabber #XMPP #freeSoftware #community #xHain #Berlin #meetup #community #xhain #spam #abuse #moderation

As you may have already seen, on October 21st, it was reported that a long-running, successful MITM (Machine-In-The-Middle) attack against jabber.ru had been detected. The nature of this attack was not specific to the XMPP protocol in any way, but it was of special interest to us as members of the XMPP community. This kind of attack relies on being able to present a TLS certificate which anyone trying to connect will accept as valid. In this case, it was done by getting a valid certificate from Let’s Encrypt.

When it comes to mitigation strategies for client-to-server connections, luckily there is already an excellent option called channel binding. Most XMPP clients and servers already have some amount of support for this technique, and in the wake of this attack, most are scrambling to make sure their implementations are complete. Many service providers have also added CAA DNS records which can prevent the very specific way this attack was executed from succeeding.

We’ve been hard at work on a different tool that can also help with defense-in-depth for this kind of situation. Ultimately, a MITM will use a different public key from the one the server uses, even if it is wrapped in a signed certificate declared as valid by a trustworthy authority (like Let’s Encrypt). If we know what key is seen when trying to connect, and we know what key the server administrator expects us to see, we can detect an ongoing MITM of this variety even when the certificate presented is valid. The tool we have developed is in early testing now. We call it CertWatch.

The premise is simple. The server administrator knows exactly what public/private keypair they are using (or can easily find out) and publishes this in DNSSEC-signed DNS records for our tool to find. The tool then periodically polls the XMPP server over Tor to see what certificate is presented. If the key in the certificate matches the key in the DNS zone, we know the session is not MITM’d (some caveats below). CertWatch checks the current setup of any domain entered, and if not yet declaring any keys, it displays setup instructions. It will either tell you to enable DNSSEC or it will tell you which DNS records to add. Note that these records are additive, so it is safe to add multiple sets when serving multiple domains from one host through SRV records. Once everything looks good, running a domain through CertWatch will display a success message and instructions for getting notified of any issues. It will then poll the domain periodically, and if any key mismatches are found, those subscribing to notifications will receive an alert.

Some tools change your key on every certificate renewal, which means you would have to update your zone setup every time your certificates renew. Other tools allow you to reuse existing keys and save some hassle, such as certbot with the --reuse-key option.

Caveats

If we did our polls from our main server IPs, it would be easy for any attacker to detect our probes and selectively disable the MITM attack for us, making themselves invisible. Probing over Tor gives CertWatch a different IP for every request and a traffic profile almost certainly consistent with the sort that many MITM attackers are going to want to inspect. This is not perfect, however, and it may be possible to fingerprint our probes in other ways to selectively MITM some traffic and ignore others. Just because our tool’s sessions were not MITM’d does not prove that no sessions are.

Anyone with physical access to the server may also scrape the actual certificates and keys off the disk, or use similar techniques in order to execute a MITM with exactly the same key the server operator expects and would use. The particular mitigation technique CertWatch helps administrators implement is ineffective against this. Rotating the key occasionally may help, but it really depends on the sophistication of the attacker and how much access they have.

Check it Out

So head over to CertWatch, enter your service domain, and let us know what you think.

hrxi talks about "Dino on Windows"

When? Wednesday, 2023-10-11 18:00 CEST (always 2ⁿᵈ Wednesday of every month)

Where? In xHain hack+makespace, Grünberger Str. 16, 10243 Berlin

This time it is a physical meeting, no Jitsi, sorry!

You might like to join our virtual meeting place xmpp:berlin-meetup@conference.conversations.im?join.

#Jabber #XMPP #freeSoftware #community #xHain #Dino #Windows #Berlin #meetup #community #xhain