#dev 2016-09-12

2016-09-12 UTC
doesntgolf joined the channel
#
@seovalencia
Trackbacks vs Pingbacks vs Webmentions for WordPress https://premium.wpmudev.org/blog/?p=153678 #wpmudev
(twitter.com/_/status/775174109424603137)
miklb, cweiske and AngeloGladding joined the channel
#
Zegnat
Progress! I now have a rel-me-check extension running that does not depend on Indiewebify: http://imgur.com/oHQLcOG
#
Zegnat
Not getting the same results yet, but this is a good start. I probably need to resolve redirects.
cmal joined the channel
#
cweiske.de
edited /PESOS (+128) "/* Software */"
(view diff)
#
cweiske.de
edited /PESOS (+127) "mention micropub property"
(view diff)
#
voxpelli
cweiske: would probably be good to mention the http://indieweb.org/rel-syndication#How_to_publish as the reference there as Micropub doesn't define that value but rather that page or h-entry
loicm_ and cmal joined the channel
#
cweiske.de
edited /PESOS (+250) "/* Micropub */ link rel-syndication and repost."
(view diff)
#
cweiske.de
edited /PESOS () "(-569) /* IndieWeb Examples */ eschnou.com has no content anymore"
(view diff)
rMdes joined the channel
#
sknebel
post + discussion are a nice checklist for webmention endpoint security https://news.ycombinator.com/item?id=12478538
#
Zegnat
I do wonder if any endpoints will except file:// uris
#
sknebel
there are a few other good points in the discussion as well
#
sknebel
afaik the webmention spec explictly calls out limiting protocols
#
sknebel
that reminds me, I wanted to write a gzip-bomb-tester for WM endpoints a while back
#
Zegnat
Hmm, should I assume that www.* equals *? https://i.imgur.com/1tpewpy.png
#
petermolnar
gzip-bomb-tester?
#
Zegnat
Or I guess I should add an extra request for all the URLs to see if they redirect somewhere.
#
Zegnat
petermolnar: when a small archive decompresses into multiple gigabytes of data, is a gzip/zip/tar/archive bomb
#
sknebel
petermolnar: same idea, yes. Most webmention endpoints probably limit the size of pages they download, but if you measure that "on the wire" and support HTTP with gzip, the page can use a lot of memory very easily
#
Zegnat
I just use curl to grab the HTML. Does curl have some sort of internal limit that protects me or do I have to write that one myself?
#
petermolnar
combine that with a reflection attack... neat. by the way, I have security question: vouch does not seem to be able to prevent a reflection attack at all, since you'll need to crawl B ( potentially even C - from the https://indieweb.org/Vouch example )
#
petermolnar
Zegnat I'm not aware of built-in limits for cURL
#
sknebel
possibly even needs attention with redirects to other protocols
#
cmal
petermolnar: there's a few interesting possibilities
#
cmal
someone a few weeks ago mentioned signing the webmention payload with PGP and matching the key to a cached version of the source's key
#
cmal
then for vouching there's the obvious case of matching people against contacts/subscribers/groups
#
Zegnat
I looked around a bit. Seems my curl'ing of the webmention will just try to download the resource no matter the size.
#
Zegnat
I will need to fix that.
#
petermolnar
PGP is a pain in the ass and it will open a computing overload vector
#
petermolnar
eg. gigantic POST request signed
#
cmal
if you accept the idea that a simple link on a page is a proper vouch, Google/Twitter is going to find a very easy way into your webmentions ;-)
#
petermolnar
personally I don't like vouch
#
petermolnar
I don't think it's useful _enough_
#
cmal
petermolnar: depends how you do it, you could limit the size of the payload and use only JSON for signed paylods, for instance
#
cmal
petermolnar: I agree completely
#
cmal
from a security standpoint the status quo of vouching and relMeAuth is disastrous
#
petermolnar
wordpress spam -> rel me my url -> auth \o/
#
cmal
do you have links to resources discussing these issues or should we just open a pad and reference ideas for better protocols?
#
petermolnar
let me check
#
cmal
(I've already crawled the wiki about it but I've so far been very disappointed in this specific regard)
#
GWG
petermolnar: So, what is your Vouch alternative? Not that I've seen a lot of Vouch integration on the part of sites.
#
cmal
yeah there's talks here and there about DDOS/auth/encryption but I don't see any proposals taking all these aspects into consideration :-/
#
cmal
how could one do proper vouching without followers/following lists? I personally don't see any way that's feasible but if you've got ideas… :D
#
petermolnar
originally I was thinking of adding dmarc-dkim-spf into webmention
#
petermolnar
but that is a little too complicated for most
#
GWG
The idea is only that Vouch moves the burden of proof to the sender.
#
cmal
GWG: yeah but in its current form it considers if you have a link to a website somewhere on your website (including, like petermolnar pointed, somewhere in an unmoderated comment), you are vouching for this website
#
cmal
that's somewhat broad
#
cmal
maybe matching against webmention endpoint domain name would be more adpated?
#
sknebel
same issue if it is an external service
#
petermolnar
webmention.io for example
#
cmal
well precisely: if you have webmention.io as a webmention endpoint, then someone receiving a webmention of yours would match the source IP address against A/AAAA records of webmention.io
#
sknebel
receiver and sender are not the same
#
sknebel
don't have to be
#
sknebel
the sender-service isn't listed anywhere
#
sknebel
and even for the receiver you'd have to fetch the site to figure out if it actually uses it
#
cmal
okay you're right, my bad… but maybe this is an info we could add as a link on the homepage?
#
cmal
sknebel: yeah but you would only fetch it once every now and then so it would mitigate an attempt at DDOS
#
petermolnar
what's important is to list all the options which could prevent fetching falsely sourced site
#
petermolnar
because that is how you destroy both your and the source site's capacity
#
petermolnar
we could say the webmention endpoint must go into the http response header
#
sknebel
e.g. people with static sites are going to send their webmentions from all kinds of IPs with all kinds of hostnames... local laptops, CI servers, ...
#
petermolnar
because HEAD is significantly cheaper that GET
#
petermolnar
wait, I'm messing up, nothing
#
GWG
See the issues here?
#
petermolnar
sorry, two different thoughts got mixes up
#
petermolnar
sknebel an SPF record can contain a list of accepted IPs or CNAMEs
#
petermolnar
security comes with restrictions
#
petermolnar
unfortunately :/
#
petermolnar
so you could add a dynamic cname into the SPF record in theory
#
petermolnar
dyndns for example
#
petermolnar
but the trouble with that is that is requires messing with the DNS
#
petermolnar
which is a problem for many
#
cmal
petermolnar: for shared hosting it can be a problem yeah :-/
#
petermolnar
I forgot that shared hosting is still a thing :/
#
GWG
No solution is foolproof. I think the idea is to reduce manual intervention, not totally eliminate it.
#
petermolnar
(I honestly did)
#
petermolnar
well, if there is an SPF record on the domain for webmention, we could check it
#
petermolnar
optional security
#
petermolnar
it at least prevents frauds for those who set it up
#
petermolnar
(just like it does for email)
#
cmal
petermolnar: how about different layers? like if there's nothing in DNS, do a HEAD, if there's nothing there, do a GET
#
cmal
this way would allow different types of setup depending on how shared/static your hosting is
#
petermolnar
that is what I'm planning to do with HEAD and GET
#
sknebel
petermolnar: what do you do the HEAD for?
#
GWG
Think of trust like a point system. You try to identify people you trust more than others using software. And you try to identify people with a low trust quotient.
#
GWG
But no system is absolute
#
petermolnar
on the receiver end, HEAD is to "ping" the source & target synchronously to determine if it's even valid; the GET will be async
#
petermolnar
on the sender end, to determine the webmention endpoint; HEAD first, GET later
#
sknebel
sure, for the sender
#
sknebel
for the source I'm not sure if a HEAD is worth it. For many dynamic sites the load is probably going to be quite similar, and now you are sending 2 requests instead of one
#
petermolnar
but for the receiver I could do a lookup DNS SPF for sender domain, if exists, match it to the actual sender server and die if it's not valid
#
petermolnar
sknebel you might be right
#
sknebel
the only thing you learn from a HEAD is if the page exists or not
#
petermolnar
that is exactly what I want to learn
#
sknebel
but an attacker isn't going to send you to a non-existing page
#
petermolnar
this is not an attack-specific thing for me
#
sknebel
and if you can't deliver a full 404-page quickly something is really odd
#
petermolnar
you're probably right with the double calling
#
GWG
So, would you all agree that in this case, security is a series of compromises and will never be perfect?
#
sknebel
I think many dynamic frameworks generate the full content for a HEAD anyways, just to be able to tell you the Content-Length
#
petermolnar
GWG it's always like that
#
sknebel
GWG: always
#
petermolnar
but we need options
#
GWG
petermolnar, sknebel: Agreed.
#
petermolnar
read a bit about DMARC
#
petermolnar
it's also an option, but a good one, for email
#
GWG
I'm just mentioning the fact in regard to Vouch.
#
petermolnar
vouch is one option
#
petermolnar
but an option which can be even more dangerous that not using it
#
GWG
Yes. But there are some other good options that don't require both sides to participate.
#
petermolnar
s/that/than
KevinMarks joined the channel
#
GWG
That reminds me
#
KevinMarks
Zegnat: I think I have redirects in place so that www.kevinmarks.com and kevinmarks.com are the same.
#
GWG
petermolnar, could I prevail upon you?
#
GWG
I am working on a new Webmentions and Pingbacks project. I was looking for someone to have a look when I am finished. Would you be able to?
#
petermolnar
I can't promise it right now, but I'll try to
#
GWG
petermolnar, still missing stuff. So bit ready yet
#
GWG
Just I want to try to use this as a way to get feature support for webmentions.
loicm_ and tantek joined the channel
#
tantek
likely worth a feature request issue!
singpolyma joined the channel
#
ben_thatmustbeme
petermolnar: i would think the code should be pretty easy to port over at least, its nothing too complex
#
petermolnar
make it a C library, and then we can use it even from bash :) (https://github.com/taviso/ctypes.sh)
plindner and cweiske joined the channel
#
Zegnat
KevinMarks: yes, you have the replies in place. But the extension does not yet resolve back-links. It just checks all the HREF values it finds as strings.
#
Zegnat
s/replies/redirects/
tantek joined the channel
#
petermolnar
it seems like the date format for 'published' for a h-entry is not as strict as I was expecting
#
petermolnar
!tell cweiske commentpara.de does not have any published date for it's comments, it that intentional?
#
Loqi
Ok, I'll tell them that when I see them next
#
cweiske
currently it's intentional.
#
cweiske
wanted to see which sites break without it
#
cweiske
the date format for h-entry is a mess
#
cweiske
parsing-wise
#
petermolnar
I guess it's like adding 𝓹𝓮𝓽𝓮𝓻𝓶𝓸𝓵𝓷𝓪𝓻 as nick ot my h-card
#
petermolnar
it should be the ISO format, no questions there
#
petermolnar
it is meant for machines
#
petermolnar
which python, by default, seems to break...
#
sknebel
petermolnar: ?
#
petermolnar
in that case, I expect 2016-09-12T16:42:20+0000
#
petermolnar
microsecond is default instead of TZ
#
petermolnar
which is not according to the iso...
#
petermolnar
well, it could be
#
petermolnar
but it's rare
#
sknebel
yeah, ok. if you want a timezone you have to explictly make the timestamp timezone-aware
#
sknebel
datetime-handling in python isn't very nice
#
petermolnar
no, it really is not
#
petermolnar
this may be one of the rare cases where PHP is well established with http://php.net/manual/en/function.strtotime.php
#
Loqi
Datetime Design Pattern
#
petermolnar
that is yet another format
#
petermolnar
and only differs as ' ' instead of 'T' between date and time compared to the ISO
#
bear
yea, the battel for date time formatting was lost a long time ago
#
bear
in python to do it properly and flexibly you have to combine a few libs and add error handling - python-dateutil and pytz and more - I would have to go find some old code of mine to recreate it
tantek joined the channel
#
sknebel
yep, im using pytz and a iso8601 parsing library as well, and I don't parse external dates yet
#
sknebel
I think for "here is a string, guess what it is" I'd need another library
#
paultibbetts.uk
created /User:Paultibbetts.uk (+93) "added my user page"
(view diff)
#
voxpelli
In node you install moment and moment-timezone and then everything is fine
KevinMarks joined the channel
#
voxpelli
Node / JavaScript
#
voxpelli
One hard thing is to correctly identify the timezone of timezone less dates
#
voxpelli
I think I used the timezone of the document in my WebMention endpoint instead of defaulting to my servers local timezone
#
paultibbetts.uk
created /events/2016-10-05-homebrew-website-club (+6962) "Created page with "<div class="h-event vevent" style="margin-top:-16px"><img style="width:100%;height:300px;object-fit:cover;object-position:50% 45%" class="u-featured" src="https://scontent-lax3-1...""
(view diff)
#
paultibbetts.uk
edited /Main_Page (+570) "/* Homebrew Website Club */ added 2016-10-05 in Birmingham, England"
(view diff)
#
paultibbetts.uk
edited /Events (+41) "added HWC Birmingham to upcoming events on 2016-10-05"
(view diff)
tantek, KevinMarks and miklb joined the channel
#
KevinMarks
Feedparser has a thorough set of date parsers. Search for _parse_date in https://github.com/kevinmarks/feedparser/blob/develop/feedparser/feedparser.py
#
KevinMarks
Good turnout
#
aaronpk
it was crazy
cmal, tantek and rMdes joined the channel
#
cmal
https://github.com/equalitie/np1sec ← very interesting for multiparty encrypted and authenticated communication
#
cmal
I'm wondering to what extent this could apply to Indieweb "groups" or private streams of data
#
cmal
(I mean the design outlined in the research paper, not the actual XMPP implementation)
KevinMarks and gRegorLove joined the channel
#
gregorlove.com
edited /events/2016-09-21-homebrew-website-club (-13) "/* Bellingham, WA */ FB event"
(view diff)
AngeloGladding joined the channel
#
gRegorLove
reads backlog about Vouch
#
GWG
Hello, Gregorlove
#
gRegorLove
I had a hard time following most of that.
#
gRegorLove
What is reflection attack?
#
Loqi
It looks like we don't have a page for "reflection attack" yet. Would you like to create it?
#
GWG
Simple...
#
GWG
They don't like Vouch
#
GWG
Because it is not perfect
#
gRegorLove
Sure. But trying to understand the technical discussion around why.