#dev 2016-09-12

2016-09-12 UTC
doesntgolf joined the channel
#
@seovalencia Trackbacks vs Pingbacks vs Webmentions for WordPress https://premium.wpmudev.org/blog/?p=153678 #wpmudev (twitter.com/_/status/775174109424603137)
miklb, cweiske and AngeloGladding joined the channel
#
Zegnat Progress! I now have a rel-me-check extension running that does not depend on Indiewebify: http://imgur.com/oHQLcOG
#
Zegnat Not getting the same results yet, but this is a good start. I probably need to resolve redirects.
cmal joined the channel
#
cweiske.de edited /PESOS (+128) "/* Software */" (view diff)
#
cweiske.de edited /PESOS (+127) "mention micropub property" (view diff)
#
voxpelli cweiske: would probably be good to mention the http://indieweb.org/rel-syndication#How_to_publish as the reference there as Micropub doesn't define that value but rather that page or h-entry
loicm_ and cmal joined the channel
#
cweiske.de edited /PESOS (+250) "/* Micropub */ link rel-syndication and repost." (view diff)
#
cweiske.de edited /PESOS () "(-569) /* IndieWeb Examples */ eschnou.com has no content anymore" (view diff)
rMdes joined the channel
#
sknebel post + discussion are a nice checklist for webmention endpoint security https://news.ycombinator.com/item?id=12478538
#
Zegnat sknebel, really, this: https://news.ycombinator.com/item?id=12478669
#
Zegnat I do wonder if any endpoints will except file:// uris
#
sknebel there are a few other good points in the discussion as well
#
sknebel afaik the webmention spec explictly calls out limiting protocols
#
sknebel that reminds me, I wanted to write a gzip-bomb-tester for WM endpoints a while back
#
Zegnat Hmm, should I assume that www.* equals *? https://i.imgur.com/1tpewpy.png
#
petermolnar gzip-bomb-tester?
#
Zegnat Or I guess I should add an extra request for all the URLs to see if they redirect somewhere.
#
Zegnat petermolnar: when a small archive decompresses into multiple gigabytes of data, is a gzip/zip/tar/archive bomb
#
petermolnar like https://www.bamsoftware.com/hacks/deflate.html for images?
#
sknebel petermolnar: same idea, yes. Most webmention endpoints probably limit the size of pages they download, but if you measure that "on the wire" and support HTTP with gzip, the page can use a lot of memory very easily
#
Zegnat I just use curl to grab the HTML. Does curl have some sort of internal limit that protects me or do I have to write that one myself?
#
petermolnar combine that with a reflection attack... neat. by the way, I have security question: vouch does not seem to be able to prevent a reflection attack at all, since you'll need to crawl B ( potentially even C - from the https://indieweb.org/Vouch example )
#
petermolnar Zegnat I'm not aware of built-in limits for cURL
#
sknebel possibly even needs attention with redirects to other protocols
#
cmal petermolnar: there's a few interesting possibilities
#
cmal someone a few weeks ago mentioned signing the webmention payload with PGP and matching the key to a cached version of the source's key
#
cmal then for vouching there's the obvious case of matching people against contacts/subscribers/groups
#
Zegnat I looked around a bit. Seems my curl'ing of the webmention will just try to download the resource no matter the size.
#
Zegnat I will need to fix that.
#
petermolnar PGP is a pain in the ass and it will open a computing overload vector
#
petermolnar eg. gigantic POST request signed
#
cmal if you accept the idea that a simple link on a page is a proper vouch, Google/Twitter is going to find a very easy way into your webmentions ;-)
#
petermolnar personally I don't like vouch
#
petermolnar I don't think it's useful _enough_
#
cmal petermolnar: depends how you do it, you could limit the size of the payload and use only JSON for signed paylods, for instance
#
cmal petermolnar: I agree completely
#
cmal from a security standpoint the status quo of vouching and relMeAuth is disastrous
#
petermolnar wordpress spam -> rel me my url -> auth \o/
#
cmal do you have links to resources discussing these issues or should we just open a pad and reference ideas for better protocols?
#
petermolnar let me check
#
cmal (I've already crawled the wiki about it but I've so far been very disappointed in this specific regard)
#
petermolnar http://indieweb.org/Webmention-brainstorming
#
petermolnar http://indieweb.org/Webmention-brainstorming#Issues
#
GWG petermolnar: So, what is your Vouch alternative? Not that I've seen a lot of Vouch integration on the part of sites.
#
cmal yeah there's talks here and there about DDOS/auth/encryption but I don't see any proposals taking all these aspects into consideration :-/
#
cmal how could one do proper vouching without followers/following lists? I personally don't see any way that's feasible but if you've got ideas… :D
#
petermolnar originally I was thinking of adding dmarc-dkim-spf into webmention
#
petermolnar but that is a little too complicated for most
#
GWG The idea is only that Vouch moves the burden of proof to the sender.
#
cmal GWG: yeah but in its current form it considers if you have a link to a website somewhere on your website (including, like petermolnar pointed, somewhere in an unmoderated comment), you are vouching for this website
#
cmal that's somewhat broad
#
cmal hmm, I read this on the wiki http://indieweb.org/DDOS#Check_client_IP
#
cmal maybe matching against webmention endpoint domain name would be more adpated?
#
sknebel same issue if it is an external service
#
petermolnar webmention.io for example
#
cmal well precisely: if you have webmention.io as a webmention endpoint, then someone receiving a webmention of yours would match the source IP address against A/AAAA records of webmention.io
#
sknebel receiver and sender are not the same
#
sknebel don't have to be
#
sknebel the sender-service isn't listed anywhere
#
sknebel and even for the receiver you'd have to fetch the site to figure out if it actually uses it
#
cmal okay you're right, my bad… but maybe this is an info we could add as a link on the homepage?
#
cmal sknebel: yeah but you would only fetch it once every now and then so it would mitigate an attempt at DDOS
#
petermolnar what's important is to list all the options which could prevent fetching falsely sourced site
#
petermolnar because that is how you destroy both your and the source site's capacity
#
petermolnar we could say the webmention endpoint must go into the http response header
#
sknebel e.g. people with static sites are going to send their webmentions from all kinds of IPs with all kinds of hostnames... local laptops, CI servers, ...
#
petermolnar because HEAD is significantly cheaper that GET
#
petermolnar wait, I'm messing up, nothing
#
GWG See the issues here?
#
petermolnar sorry, two different thoughts got mixes up
#
petermolnar sknebel an SPF record can contain a list of accepted IPs or CNAMEs
#
petermolnar security comes with restrictions
#
petermolnar unfortunately :/
#
petermolnar so you could add a dynamic cname into the SPF record in theory
#
petermolnar dyndns for example
#
petermolnar but the trouble with that is that is requires messing with the DNS
#
petermolnar which is a problem for many
#
cmal petermolnar: for shared hosting it can be a problem yeah :-/
#
petermolnar I forgot that shared hosting is still a thing :/
#
GWG No solution is foolproof. I think the idea is to reduce manual intervention, not totally eliminate it.
#
petermolnar (I honestly did)
#
petermolnar well, if there is an SPF record on the domain for webmention, we could check it
#
petermolnar optional security
#
petermolnar it at least prevents frauds for those who set it up
#
petermolnar (just like it does for email)
#
cmal petermolnar: how about different layers? like if there's nothing in DNS, do a HEAD, if there's nothing there, do a GET
#
cmal this way would allow different types of setup depending on how shared/static your hosting is
#
petermolnar that is what I'm planning to do with HEAD and GET
#
sknebel petermolnar: what do you do the HEAD for?
#
GWG Think of trust like a point system. You try to identify people you trust more than others using software. And you try to identify people with a low trust quotient.
#
GWG But no system is absolute
#
petermolnar on the receiver end, HEAD is to "ping" the source & target synchronously to determine if it's even valid; the GET will be async
#
sknebel hm
#
petermolnar on the sender end, to determine the webmention endpoint; HEAD first, GET later
#
sknebel sure, for the sender
#
sknebel for the source I'm not sure if a HEAD is worth it. For many dynamic sites the load is probably going to be quite similar, and now you are sending 2 requests instead of one
#
petermolnar but for the receiver I could do a lookup DNS SPF for sender domain, if exists, match it to the actual sender server and die if it's not valid
#
petermolnar sknebel you might be right
#
sknebel the only thing you learn from a HEAD is if the page exists or not
#
petermolnar that is exactly what I want to learn
#
sknebel but an attacker isn't going to send you to a non-existing page
#
petermolnar this is not an attack-specific thing for me
#
sknebel and if you can't deliver a full 404-page quickly something is really odd
#
petermolnar you're probably right with the double calling
#
GWG So, would you all agree that in this case, security is a series of compromises and will never be perfect?
#
sknebel I think many dynamic frameworks generate the full content for a HEAD anyways, just to be able to tell you the Content-Length
#
petermolnar GWG it's always like that
#
sknebel GWG: always
#
petermolnar but we need options
#
GWG petermolnar, sknebel: Agreed.
#
petermolnar read a bit about DMARC
#
petermolnar it's also an option, but a good one, for email
#
GWG I'm just mentioning the fact in regard to Vouch.
#
petermolnar vouch is one option
#
petermolnar but an option which can be even more dangerous that not using it
#
GWG Yes. But there are some other good options that don't require both sides to participate.
#
petermolnar s/that/than
#
@Inkwater_Masha Plotting with Post-Its http://www.julie-cohen.com/blog/2010/09/17/post-it-plotting/?platform=hootsuite #amwriting #indieauth (twitter.com/_/status/775326955675803648)
KevinMarks joined the channel
#
@copywriter_1 Trackbacks vs Pingbacks vs Webmentions for WordPress @wpmudev https://premium.wpmudev.org/blog/trackbacks-pingbacks-webmentions/ (twitter.com/_/status/775329691091738624)
#
GWG That reminds me
#
KevinMarks Zegnat: I think I have redirects in place so that www.kevinmarks.com and kevinmarks.com are the same.
#
GWG petermolnar, could I prevail upon you?
#
petermolnar hm?
#
GWG I am working on a new Webmentions and Pingbacks project. I was looking for someone to have a look when I am finished. Would you be able to?
#
petermolnar I can't promise it right now, but I'll try to
#
GWG petermolnar, still missing stuff. So bit ready yet
#
GWG Just I want to try to use this as a way to get feature support for webmentions.
loicm_ and tantek joined the channel
#
petermolnar is anyone aware of a python version of https://github.com/dissolve/single-emoji-recognizer ?
#
tantek likely worth a feature request issue!
#
petermolnar found this: http://stackoverflow.com/questions/28290240/python-2-7-detect-emoji-from-text#28333439
singpolyma joined the channel
#
ben_thatmustbeme petermolnar: i would think the code should be pretty easy to port over at least, its nothing too complex
#
petermolnar make it a C library, and then we can use it even from bash :) (https://github.com/taviso/ctypes.sh)
plindner and cweiske joined the channel
#
Zegnat KevinMarks: yes, you have the replies in place. But the extension does not yet resolve back-links. It just checks all the HREF values it finds as strings.
#
Zegnat s/replies/redirects/
tantek joined the channel
#
petermolnar hm
#
petermolnar it seems like the date format for 'published' for a h-entry is not as strict as I was expecting
#
petermolnar !tell cweiske commentpara.de does not have any published date for it's comments, it that intentional?
#
Loqi Ok, I'll tell them that when I see them next
#
cweiske currently it's intentional.
#
cweiske wanted to see which sites break without it
#
cweiske the date format for h-entry is a mess
#
cweiske parsing-wise
#
petermolnar I guess it's like adding 𝓹𝓮𝓽𝓮𝓻𝓶𝓸𝓵𝓷𝓪𝓻 as nick ot my h-card
#
petermolnar it should be the ISO format, no questions there
#
petermolnar it is meant for machines
#
petermolnar which python, by default, seems to break...
#
petermolnar lol
#
sknebel petermolnar: ?
#
petermolnar https://en.wikipedia.org/wiki/ISO_8601
#
petermolnar in that case, I expect 2016-09-12T16:42:20+0000
#
petermolnar python, in comparison: https://docs.python.org/2/library/datetime.html#datetime.datetime.isoformat
#
petermolnar microsecond is default instead of TZ
#
petermolnar which is not according to the iso...
#
petermolnar well, it could be
#
petermolnar sorry
#
petermolnar but it's rare
#
sknebel yeah, ok. if you want a timezone you have to explictly make the timestamp timezone-aware
#
sknebel datetime-handling in python isn't very nice
#
petermolnar no, it really is not
#
petermolnar this may be one of the rare cases where PHP is well established with http://php.net/manual/en/function.strtotime.php
#
voxpelli Date should be iso: http://microformats.org/wiki/datetime-design-pattern
#
Loqi Datetime Design Pattern
#
petermolnar that is yet another format
#
petermolnar and only differs as ' ' instead of 'T' between date and time compared to the ISO
#
bear yea, the battel for date time formatting was lost a long time ago
#
bear in python to do it properly and flexibly you have to combine a few libs and add error handling - python-dateutil and pytz and more - I would have to go find some old code of mine to recreate it
tantek joined the channel
#
sknebel yep, im using pytz and a iso8601 parsing library as well, and I don't parse external dates yet
#
sknebel I think for "here is a string, guess what it is" I'd need another library
#
paultibbetts.uk created /User:Paultibbetts.uk (+93) "added my user page" (view diff)
#
voxpelli In node you install moment and moment-timezone and then everything is fine
KevinMarks joined the channel
#
voxpelli Node / JavaScript
#
voxpelli One hard thing is to correctly identify the timezone of timezone less dates
#
voxpelli I think I used the timezone of the document in my WebMention endpoint instead of defaulting to my servers local timezone
#
paultibbetts.uk created /events/2016-10-05-homebrew-website-club (+6962) "Created page with "<div class="h-event vevent" style="margin-top:-16px"><img style="width:100%;height:300px;object-fit:cover;object-position:50% 45%" class="u-featured" src="https://scontent-lax3-1..."" (view diff)
#
paultibbetts.uk edited /Main_Page (+570) "/* Homebrew Website Club */ added 2016-10-05 in Birmingham, England" (view diff)
#
paultibbetts.uk edited /Events (+41) "added HWC Birmingham to upcoming events on 2016-10-05" (view diff)
tantek, KevinMarks and miklb joined the channel
#
KevinMarks Feedparser has a thorough set of date parsers. Search for _parse_date in https://github.com/kevinmarks/feedparser/blob/develop/feedparser/feedparser.py
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:2016-09-09-xoxo-indieweb-meetup.jpg]]""
#
aaronparecki.com edited /events/2016-09-09-xoxo-indieweb-meetup (+65) (view diff)
#
KevinMarks Good turnout
#
aaronpk it was crazy
cmal, tantek and rMdes joined the channel
#
cmal https://github.com/equalitie/np1sec ← very interesting for multiparty encrypted and authenticated communication
#
cmal I'm wondering to what extent this could apply to Indieweb "groups" or private streams of data
#
cmal (I mean the design outlined in the research paper, not the actual XMPP implementation)
KevinMarks and gRegorLove joined the channel
#
gregorlove.com edited /events/2016-09-21-homebrew-website-club (-13) "/* Bellingham, WA */ FB event" (view diff)
AngeloGladding joined the channel
#
gRegorLove reads backlog about Vouch
#
GWG Hello, Gregorlove
#
gRegorLove I had a hard time following most of that.
#
gRegorLove What is reflection attack?
#
Loqi It looks like we don't have a page for "reflection attack" yet. Would you like to create it?
#
GWG Simple...
#
GWG They don't like Vouch
#
GWG Because it is not perfect
#
gRegorLove Sure. But trying to understand the technical discussion around why.