powered by Jive Software

Muzzled while criticizing Jive + retry to ask question to anlumo

matt wrote:

In any case, we’'re not going to censor legit plugin contributions from the community

and

matt wrote:

Anyway, I’‘m locking this thread because it’'s pointless.

Looks like Jive don’'t like critical remarks:

Feedback is not limited to possitive testimonials…

Oh yes, @ anlumo, as free speech is not possible anymore in the other thread, can you answer my question here? Let’‘s hope, matt doe not close this thread too, else I’'ll obliged to find another way to contact you. >:-(

So, my question was:

Seems interesting, do you know any client that already supports Jinge file transfer, so that I can test bypassing this module?

PS: As an answer to your question Matt, I do find opening eyes before it’‘s too late one of the best ways to spend my time. So, be aware of me :o) Also note that plain resource sponsoring doesn’'t impress me. Microsoft is a sponsor of the W3C since a long time, but does this mean they helped the Web community a lot? Hope my point is clear.

Good lord. What I should really do is ban your IP address, but we try to be nice guys around here. I closed the other thread because I felt like all useful discussion was done. If anyone is really motivated to keep talking about this, go right ahead.

-Matt

Yeah, and by doing that I couldn’'t get any answer to my question anymore…smart

PS: blocking my IP would be useless, not only because you would probably block a whole university network, but also because I already sometimes must (e.g. I can’'t use SSH without the tool where I am now) use a tool made to bypass free speech restrictions like the Chinese censorship firewall

Message was edited by: sanderd

sanderd wrote:

Seems interesting, do you know any client that already supports Jinge file transfer, so that I can test bypassing this module?

Yes, the latest version of Google’'s libjingle supports file transfer over jingle.

anlumo wrote:
sanderd wrote:

Seems interesting, do you know any client that already supports Jinge file transfer, so that I can test bypassing this module?

Yes, the latest version of Google’'s libjingle supports file transfer over jingle.

Yes, but Google Talk only works with Google’'s Jabber server. Do you know a client that uses Jingle file transfer and that works with other Jabber servers?

I wasn’‘t talking about google’‘s client, but libjingle. libjingle includes demo code for file transfers and allows any XMPP server to be used. (Note that I haven’'t tried it myself yet, though)

Hi Sander,

I agree that closing the other thread was a bad idea of Matt as one should be able to discuss things even if they seem to be pointless for some readers.

I just wonder if you complain also about SNMP and HTTP(s) proxy servers which filter incoming viruses, malware and evil javascript code and outgoing documents for sensitive data.

XEP-0096: File Transfer contains no “Security Considerations” section while XEP-xxxx: Jingle HTTP File Transfer

contains only “As with all applications that allow files to be downloaded, clients must take care to protect file recipients from potentially harmful files.” Not a single word about sending files with random information. As long as the XEPs do not really care about security one may wonder if these are serious XEPs and if serious clients and servers should support them.

If you have to manage a LAN with very vulnerable clients (running Windows) you need to take some actions to protect them, a plugin to block file transfers or to filter them will help a lot.

LG

it2000 wrote:

I just wonder if you complain also about SNMP and HTTP(s) proxy servers which filter incoming viruses, malware and evil javascript code and outgoing documents for sensitive data.

I’‘ve no experience with SNMP, but regarding HTTP I also think filtering is useless (IMO proxies are only useful if your goal is to limit trafic). In fact, there already are extremely easy ways to bypass such proxies. As an example, I, and a lot other students here, use http://your-freedom.net/ to bypass the useless restrictions of my university’'s restrictive firewall/proxy combination.

If you have to manage a LAN with very vulnerable clients (running Windows) you need to take some actions to protect them, a plugin to block file transfers or to filter them will help a lot.

I think it is ways easer then to use clients that do not allow file transfer or of which you can disable file transfer, and forbid people to use other clients by contract. Another advantage of that approach is also that you don’'t have to answer complaints from your users who say an error appears when they try to send a file.

anlumo wrote:

I wasn’‘t talking about google’‘s client, but libjingle. libjingle includes demo code for file transfers and allows any XMPP server to be used. (Note that I haven’'t tried it myself yet, though)

Well, I was more thinking about a client that supports Jingle file transfer that would be usable by everyone. Do you have an idea about that?

Hi Sander,

sorry for “SNMP”, I did mean SMTP (mail).

I have no idea if your university did install client certificates within every browser and uses an HTTPS terminator within the proxy - this way one can log all outgoing requests and make sure that the HTTP CONNECT method is used only to tunnel HTTP traffic and not to build a VPN tunnel. This works very good to filter encrypted traffic. So anonymous surfing it is just a mystery if the right proxy servers are used. Of course one may still be able to connect to a freedom.net-server but the proxy admin may have useful log files.

Using clients which do not allow file transfer is not really an options as there are always users who install random software or even malware on their computer. This malware could use XMPP to send out files (I did never hear of one so far). So from my point of view such a plugin is very useful for private xmpp server with a privacy policy which does not allow file transfers but I can’‘t recommend it for public servers. I’'m quite sure that also JiveSoftware does not want to see public servers with this plugin.

As no one can control who uses this plugin I wonder if it would help if this plugin would add a disco#no-filetransfer to query requests so every client can check whether the server blocks standard file transfer methods.

LG

it2000 wrote:

sorry for “SNMP”, I did mean SMTP (mail).

ok, simple answer to that: webmail

I have no idea if your university did install client certificates within every browser and uses an HTTPS terminator within the proxy - this way one can log all outgoing requests and make sure that the HTTP CONNECT method is used only to tunnel HTTP traffic and not to build a VPN tunnel. This works very good to filter encrypted traffic. So anonymous surfing it is just a mystery if the right proxy servers are used. Of course one may still be able to connect to a freedom.net-server but the proxy admin may have useful log files.

Tools like your-freedom (can) encrypt the trafic so that it looks like normal HTTPS trafic on port 443…blocking this kind of trafic would mean websites like web banking and Internet shops will not work anymore, an I guess there are less instances that can afford it that these services does not work anymore.

Using clients which do not allow file transfer is not really an options as there are always users who install random software or even malware on their computer.

That’'s why you should forbid that, and/or why you should make installing new software impossible.

This malware could use XMPP to send out files (I did never hear of one so far). So from my point of view such a plugin is very useful for private xmpp server with a privacy policy which does not allow file transfers but I can’‘t recommend it for public servers. I’'m quite sure that also JiveSoftware does not want to see public servers with this plugin.

I guess this malware would be smart enough to use a public server without such restriction. Also, most malware does not like to depend on (semi) centralised services like Jabber, and they probably don’'t like to depend on XML.

Oh please. You were being extremely hostile over a completely optional, 3rd-party feature which can only affect you if you go out of your way to install it. Maybe you should look up evil. I’'d have deleted the whole thread.

Drop the threatening attitude and you’'ll most likely get some helpful responses.

bemace wrote:

Oh please. You were being extremely hostile over a completely optional, 3rd-party feature which can only affect you if you go out of your way to install it.

I don’'t see it as a feature; I see it as a threat for something I adore: the Jabber community. HTH to understand why my criticism was (and is) so loud and without compromises.

Maybe you should look up evil. I’'d have deleted the whole thread.

Well, if that wouldn’'t be evil… (deleting is IMO only allowed for spam and illegal things, not for criticism…see also the subject of this thread)

sanderd wrote:

Tools like your-freedom (can) encrypt the trafic so that it looks like normal HTTPS trafic on port 443…blocking this kind of trafic would mean websites like web banking and Internet shops will not work anymore, an I guess there are less instances that can afford it that these services does not work anymore.

Hi Sander,

believe me that there is a big difference between web traffic and other traffic using port 443.

Clients use “HTTP CONNECT” to create an SSL session.

Browsers use always requests like “GET / HTTP1.0” as web servers do understand only HTTP(s), otherwise you would have a problem to click links on your banking home page.

Clients which just want to tunnel data don’‘t use HTTP but TCP within the encrypted SSL channel. It’'s of course not so hard to convert TCP data to HTTP data, but if one does this then one can also encrypt it and use a normal proxy.

LG