Modern XMPP project discussion - 2023-01-02

  1. Trung

    RESOURCE GENERATION The client should generate a unique random identifier per device or client instance. The identifier should be reused between sessions, and should not reveal any information about the user, their device, or their location.

  2. Trung

    ↑ Why ?

  3. MattJ

    Trung, because the resource is visible to contacts and anyone you communicate with

  4. Trung

    it's not visible to people who doesn't have sub grant though does it?

  5. Trung

    I think user should be able to change their own resource identifier

  6. Zash

    I think it should be an opaque session identifier assinged by the server!

  7. MattJ

    Trung, as I wrote, it's visible to contacts and anyone you communicate with

  8. Trung

    most client runs on specific platform|OS and they are setting their branding+random identifier in the resource part anyway. it's not hard to guess their device.

  9. MattJ

    Exactly, that's why they shouldn't put that info in the resource part :)

  10. MattJ

    The new Bind 2 XEP has more stuff about this

  11. MattJ

    But, for example, I believe Siskin used the device name as the resource identifier. If I tried to create an anonymous XMPP account, "anon4891@example.com", and then I sent you a message, it would be from "anon4891@example.com/Matthew Wild's iPhone"

  12. Trung

    woaw =]]]]]] that's not very anonymous

  13. MattJ

    There's not much that can be done about leaking the client name, it's trivial to fingerprint client software by the features they support and various other quirks

  14. MattJ

    But exposing anything more than that is unnecessary and potentially dangerous

  15. Trung

    I agree. I think by default it should be a hash. But allow user to change as they want and give them a warning when they choose to do that. Anonymous should always be a hash though

  16. Trung

    lol

  17. MattJ

    Why allow the user to change it?

  18. Trung

    sometime people want to let their partners know what they are using.

  19. Trung

    u know, i'm on the phone, don't send me 10Gb of film footage

  20. MattJ

    No, that's not how it works. For starters, people would ignore it and send you 10GB anyway (like how people traditionally ignore the "do not disturb" status)

  21. MattJ

    Instead, mobile clients should be sensible about not auto-accepting large transfers

  22. MattJ

    and indeed they will prompt you

  23. MattJ

    It's better if your contact can just send you the file offer, and you can choose when and where to receive it

  24. Trung

    yeh there's a point in that

  25. Trung

    well in that case resource is not very useful as UX feature all together

  26. MattJ

    Agreed. That's why we recommend it shouldn't be displayed to users at all.

  27. Trung

    it's just for technical as in server knows there are multiple devices.

  28. MattJ

    Correct, it's basically a session identifier

  29. Trung

    >Zash: I think it should be an opaque session identifier assinged by the server! We might as well do this then ↑

  30. MattJ

    Yes. And we are :)

  31. Trung

    in next version? I still see my resources lol

  32. Trung

    i use profanity. can set it to whatever i want.

  33. MattJ

    Next version of what? Many clients already don't display resource (prominently, or at all)

  34. MattJ

    I've never used profanity, but console clients are often targeted at "power users", people who like being able to tweak things like that :)

  35. MattJ

    The ModernXMPP guidance is about improving the experience for the majority of people who don't understand protocols and session identifiers (and who shouldn't be forced to learn)

  36. MattJ

    if Profanity wants to be more user-friendly in that way, the developers should consider the guidance

  37. Trung

    I think if we decide that resource is no good for UX, server should reject resource set by client (Profanity|Poezio|…) and give them random hash anyway in the protocol layer.

  38. MattJ

    Yes, Prosody has a plugin/option to do that I believe

  39. Trung

    oh ok. I'll look then thanks

  40. MattJ

    https://modules.prosody.im/mod_compact_resource.html I think

  41. MattJ

    and XEP-0386 is on the way which will enforce server-generated resources

  42. Trung

    aye thanks mate

  43. Trung

    Is labelling OMEMO keys considered to be important? (it's local data on client side I would imagine)

  44. MattJ

    Maybe

  45. MattJ

    I like the idea of Signal's "safety numbers", it's a bit simpler for people that showing them lists of long fingerprints

  46. MattJ

    I like the idea of Signal's "safety numbers", it's a bit simpler for people than showing them lists of long fingerprints

  47. qy

    > Some sleuthing from engineer and app researcher Jane Manchun Wong unearthed evidence that Reddit is experimenting with Matrix for its chat feature — a move more or less confirmed to TechCrunch by Reddit. A spokesperson said that it’s “looking at a number ways to improve conversations on Reddit” and was “testing a number of options,” though they stopped short of name-checking Matrix specifically.

  48. qy

    anyone feel like contacting them?