#dev 2018-10-13

2018-10-13 UTC
benwerd joined the channel
#
@fluffy New post: Plaidophile: Webmention is here, ActivityPub maybe next? http://beesbuzz.biz/blog/6287-Webmention-is-here-ActivityPub-maybe-next (twitter.com/_/status/1050914671971176448)
renem, benwerd, snarfed, [Vincent] and [kevinmarks] joined the channel
#
[kevinmarks] [snarfed] looks like fluffy needs some help with fed bridgy
[asuh] and renem joined the channel
#
@jackbarber If any @grabaperch users out there have got webmentions working, would you mind having a look at http://forum.grabaperch.com/forum/10-13-2018-webmentions-failing and telling what I've done wrong. Thanks! #perch #webmentions (twitter.com/_/status/1051034487277129728)
swentel joined the channel
#
@nxD4n @withknown is there a way to disable comments on a self hosted #known and only allow #webmentions? I've got spammed a lot recently and had to put it in private mode to stop it (twitter.com/_/status/1051046485675188224)
#
@EatPodcast ↩️ @nxD4n I'm not absolutely sure, but if you disable the Public Comments plugin, I think that still allows webmentions through. (twitter.com/_/status/1051049820318777344)
[Vincent] and swentel joined the channel
#
Zegnat jeremycherfas++ on point with the twitter support lately!
#
Loqi jeremycherfas has 11 karma in this channel over the last year (25 in all channels)
#
jeremycherfas I don't deserve that. All I do is ask for more details. Others give solid assistance.
#
jeremycherfas I suppose it shows people others are listening.
[pfefferle] joined the channel
#
@mapkyca ↩️ @nxD4n @withknown @EatPodcast Yep... disable the public comments plugin with stop comments but webmentions will still work (twitter.com/_/status/1051074545543720960)
jackjamieson joined the channel
#
jeremycherfas What is openid
#
Loqi OpenID was a protocol for using a web address as an identity to sign-in to websites; it is losing support, is effectively dead (versions 1 & 2 are both deprecated, sites are dropping support), and has been replaced on the IndieWeb with web-sign-in and IndieAuth https://indieweb.org/OpenID
#
jeremycherfas Openid << https://penguindreams.org/blog/the-decline-of-openid/
#
Loqi ok, I added "https://penguindreams.org/blog/the-decline-of-openid/" to the "See Also" section of /How_to_set_up_OpenID_on_your_own_domain https://indieweb.org/wiki/index.php?diff=52851&oldid=36080
[schmarty] joined the channel
#
[schmarty] That doesn’t sound right, Loqi
#
[schmarty] OpenID << https://penguindreams.org/blog/the-decline-of-openid/
#
Loqi ok, I added "https://penguindreams.org/blog/the-decline-of-openid/" to the "See Also" section of /OpenID https://indieweb.org/wiki/index.php?diff=52852&oldid=49673
#
[schmarty] Hmm. Exact capitalization worked but capitalization near-miss found a totally different page.
#
jeremycherfas You beat me to it [schmarty] because I had to log in again in a new browser. But thanks.
#
[schmarty] [jeremycherfas] no problem! I happened by and was intrigued by the strange Loqi behavior.
#
jeremycherfas Yeah. Very odd.
#
aaronpk Weird haha
#
aaronpk a not exact match will use the wiki search. No idea why search returned the other page
#
aaronpk ActivityPub seems like an odd non sequitor in that article since it doesn't really have anything to do with identity or single sign on
#
aaronpk good post otherwise
jackjamieson, swentel and [eddie] joined the channel
#
[eddie] I’m thinking about how my nicknames cache is built. Currently it’s just a huge yaml file on my server which is not easily editable. So I’m thinking of transitioning to having single file h-cards for each person named by their primary url
#
[eddie] So it seems like the proper way to add contacts to that would be to receive Micropub posts that are of type h-card and when that is received to assume it is a contact
#
[eddie] Am I missing any other uses of h-card via Micropub?
#
aaronpk Venues
#
[eddie] ohhhh
#
[eddie] 🤔
#
aaronpk tho it's possible you may want to have those be the same anyway
#
[eddie] That is true
#
aaronpk cause mentioning a venue or a person isn't actually that different
#
[eddie] It’s probably best to have them stored the same way with maybe different category tags
#
[eddie] So if I wanted to grab just one, I could filter by tags
#
aaronpk So far my nicknames cache has a mix of people and venues
#
GWG What if you already have an h-card for that person in your cache?
#
Loqi http://meme.loqi.me/m/4wxbU1qt.jpg
#
aaronpk and businesses
#
[eddie] Hmmm, I guess Micropub hasn’t set up a case in which a post is prevented from posting because it already exists
#
[eddie] because with normal posts you can post duplicates
#
[eddie] I’m thinking it would need to be an http error
#
aaronpk Or you merge the new data with the old or treat it as an update
#
[eddie] Ohhhh that’s true
#
aaronpk when creating h-entry posts, there isn't a field to indicate a unique identifier for the post so creates always make a new post
#
GWG I thought it was an important thing to ask in a name or venue scenario
#
aaronpk with h-card you may want to use the url property of the h-card as a unique identifier
#
[eddie] So that would work, just assume if it already exists that it’s the same as if it was sent inside an update post
#
[eddie] Yep, exactly. h-card url is definitely the unique id
#
aaronpk but the h-card may also have multiple URLs so you need to also consider what to do in that case
#
[eddie] Yeah, right now mine aren’t stored as h-card so what I have is called a “representitive url” for each person
#
[eddie] and that has the key of the main url
#
aaronpk That works
#
[eddie] So I guess h-card wise that would be uid
#
aaronpk Yea
#
[eddie] So url can be an array and then the primary one would be also in uid
#
[eddie] The idea is I could then add to Indigenous’ share sheet that if I’m on a page with an h-card it would have an option to “Save Card” or “Save h-card”
#
[eddie] So if I went to aaronparecki.com, I click the share sheet and then with a tap of a button it’ll parse your h-card and embed it in a Micropub request and send it to my Micropub server
#
[eddie] I’ll probably want to show an edit form to be able to easily add things like category or missing info
#
aaronpk Coool
#
aaronpk my Micropub endpoint already knows how to create h-cards so I look forward to trying that out :-)
snarfed joined the channel
#
GWG Is there a web client that does h-card micropub?
snarfed joined the channel
#
[eddie] Awesome aaronpk. I’m thinking since most websites don’t know how to create h-cards, I’m thinking I might hide the feature behind the micropub post-types query
#
[eddie] Because an h-card of a random person to a Micropub that doesn’t deal with h-cards differently than h-entries could end strangely lol
#
[eddie] GWG not that I know of yet
#
[eddie] But if this becomes a thing I think they could
#
GWG Maybe next year will be the year of the nickname cache
#
Old_Man What's a nickname cache?
#
KartikPrabhu what is nickname cache
#
Loqi A nicknames cache is a way indieweb sites store information about people to improve the user experience of the site owner referring, mention, and/or linking to those people https://indieweb.org/nickname_cache
#
Old_Man Thx
#
GWG I have wanted to write one for a long time
#
GWG swentel put in querying for categories in Indigenous. Looking forward to seeing that
#
GWG And location visibility
#
GWG swentel++
#
Loqi swentel has 11 karma in this channel over the last year (23 in all channels)
[asuh], [pfefferle], jackjamieson and [eddie] joined the channel
#
[eddie] Oh wow, that’s awesome!
#
[eddie] swentel++
#
Loqi swentel has 12 karma in this channel over the last year (24 in all channels)
#
[eddie] It’s hard for me to even keep up with all the improvements he’s doing to Indigenous for Android
#
[eddie] I see GitHub issues open and close all the time
#
GWG I'm looking forward to testing it
#
AngeloGladding what is ssrf?
#
Loqi It looks like we don't have a page for "ssrf" yet. Would you like to create it? (Or just say "ssrf is ____", a sentence describing the term)
#
AngeloGladding what is csrf?
#
Loqi CSRF or Cross-Site Request Forgery is an attack that OAuth and IndieAuth clients (relying parties) need to be aware of, wherein victims unknowingly follow a link to a relying party callback URL prepared by an attacker https://indieweb.org/CSRF
#
AngeloGladding SSRF is an attack that IndieAuth servers and Webmention receivers need to be aware of, wherein attackers abuse URL parsers to various nefarious ends.
#
Loqi ok
#
AngeloGladding SSRF >> https://youtu.be/D1S-G8rJrEk
#
AngeloGladding SSRF << https://youtu.be/D1S-G8rJrEk
#
Loqi ok, I added "https://youtu.be/D1S-G8rJrEk" to a brand new "See Also" section of /SSRF https://indieweb.org/wiki/index.php?diff=52856&oldid=52855
#
AngeloGladding SSRF << https://github.com/fin1te/safecurl
#
Loqi ok, I added "https://github.com/fin1te/safecurl" to the "See Also" section of /SSRF https://indieweb.org/wiki/index.php?diff=52857&oldid=52856
#
Loqi [fin1te] safecurl: SSRF Protection Library for PHP - http://safecurl.fin1te.net
#
AngeloGladding SSRF << https://github.com/JordanMilne/Advocate
#
Loqi ok, I added "https://github.com/JordanMilne/Advocate" to the "See Also" section of /SSRF https://indieweb.org/wiki/index.php?diff=52858&oldid=52857
#
Loqi [JordanMilne] Advocate: An SSRF-preventing wrapper around Python's requests library
#
Zegnat Safecurl sounds a little like what I do for my webmention endpoint discovery where I never post data to any reserved IPs.
#
aaronpk There are some notes in the webmention spec to that effect too
#
Zegnat My thing: https://github.com/Zegnat/php-webmention-endpoint-discovery/wiki/Send-Webmention-to-verified-IP
#
Zegnat Though I did some improvements during IWC NYC that still haven't been merged to master.
#
Zegnat I for one appreciated that note in the spec, aaronpk! Good reminder for implementers
#
AngeloGladding yeah aaronpk i remember reading that note
#
AngeloGladding my problem the other day w/ webmention testing was a bug in my own URL parser
#
AngeloGladding i've always known there were *issues* so i've tried to enforce simplified URLs
#
Zegnat Hmm. Looking at that safecurl code they disable cert verification and then mess with host headers. That's not the way to go. Unless you have to support old PHP and curl they should do what I show and pass the resolved IP for the domain to curl and let it handle those details itself.
#
AngeloGladding but it seems this "New Era of SSRF" as the accompanied video demonstrates requires a second look at a single line of warning in a spec
#
Zegnat I'll have to check that video tomorrow and see if there is anything else I could add.
#
AngeloGladding the guy has a hard taiwan accent and it's 50 minutes long but it's basically all relevant to IndieWeb as we sling URLs all day
#
AngeloGladding well presented though
#
sknebel let me dig out the link to the slides, they were fairly understandable too alone
#
AngeloGladding ^^
#
aaronpk What about this is new?
#
AngeloGladding https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Orange-Tsai-A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages.pdf
#
AngeloGladding his primary attack was against a GitHub webhook and it allowed for Remote Code Execution
#
AngeloGladding unicode is messing everything up
#
AngeloGladding but there's actually many vectors and unless you're on PHP 7.1+ (i think) you're vulnerable
#
AngeloGladding ""curl doesn't verify that the URL is 100% syntactically correct. It is instead documented to work with URLs and sort of assumes that you pass it correct input"
#
AngeloGladding that was what the curl team had to say after they patched his first vulnerability
#
AngeloGladding it's PHP 7.0.12 or earlier for the bug described on slide #69
#
AngeloGladding so aaronpk you have "If a receiver chooses to display data it picks up from source, it MUST ensure that the data is encoded and/or filtered to prevent [XSS] and [CSRF] attacks." https://www.w3.org/TR/webmention/#preventing-abuse-li-3 then in https://www.w3.org/TR/webmention/#limit-access-to-protected-resources you certainly mention the core of the problem but the crux of this "new era" in SSRF is in
#
AngeloGladding crafting abusive URLs almost akin to XSS
#
AngeloGladding bad comparison w/ XSS, forget that -- the solutions provided in the spec are valid but i didn't fully grasp the scope of the problem when i read it at first
KartikPrabhu joined the channel