20 Jun
2025
20 Jun
'25
4:09 a.m.
Good day.
I would want to discuss the possibility and best practice of creating
server-side modules that would copy BoB data (XEP-0231: Bits of Binary)
to own server in order to avoid exposure of IP address of the receiver.
Kind regards,
Schimon
20 Jun
20 Jun
6:56 a.m.
My client requests the data from your client:
<iq type='get' from='teddsterr(a)teddste.rr/b21e986c'
to='schimon(a)schim.on/a1c0fcb9'
id='213ff41b010008fc04d39795c0cde8b980839dc1'>
<data xmlns='urn:xmpp:bob'
cid='sha1+4e213cc5338c048171253fa49654b664ae50a6ed(a)bob.xmpp.org'/>
</iq>
This is sent: my client → my server → your server → your client — no IP address is
included.
Your client then replies with the requested data:
<iq type='result' from='schimon(a)schim.on/a1c0fcb9'
to='teddsterr(a)teddste.rr/b21e986c'
id='dd3552c1a3d4f05f8f22a8497d5c8a6d59d9bb4c'>
<data xmlns='urn:xmpp:bob'
cid='sha1+4e213cc5338c048171253fa49654b664ae50a6ed(a)bob.xmpp.org'
type='image/png'>
iVBORw0KGgoAAAANSUhEUgAAALQAAAB4AQMAAABhKUq+AAAABlBMVEXHSwoYDRfNXBe9AAACOUlEQVRI
x9XTsWsTURwH8N/1AsmWgA4OSkZHCx51KX24uZT+CaFDcXSwrUvgpQ46WDqLiC4dBadOStOrc+hBEAVN
L6XDDRIMBnlH8+59HS6X5N29gwSK2jc9Pvz4vd/v994jilcVANCn9LosZ//Uw//J35pdLZhd0ntjXwFZ
Rv9BhK7hXvbIMvq7EnGTL5csbrrf1ysWkwaXDyyOjPMhXrgMRym2AIUzninIBjA8YpnGygBOKTugKvD7
jQ2kCwKAjyzjHAA+KEBlTm1CIO0MAISIuO42AAUIAEgXqYDgM9c9fgsIGimPGecNprk98mPS85djjo5J
z8NH8U9tLd5C4juaF0fcXNC9nMTbrubVEUvbNvtjPQ9LnNtmr+b4jScAGpm2IgyAqQeUlCmpCEweUNKu
kqXn0z9vPIb6ShkA7JCI5FSe+q0aAPhoEFNT5x7SYbzp2gBRmNR5ShHGq0tqPDdLTLxP2En2LjQfJPtP
uhvXLO7n+E+zD0XTHB/k5BFz1mM8d4horjzRvHPg8eebOd4HMLyU+c/nYlKuIV7dyfHbZpd5/tDs4UmO
+2a/yOnrVY7v5nj5r8/5qvqzxfUgPGGD+07V3avw3QovXDtzKrT0shVc1PivVcdv7bex34YzaF33aPnr
OQZrLFx1fHdpEY6Hwt1WoUL1m1HQr/Gos8k6xS8o3MOW6Gx4dPC9F4g1LnsHfme7ja02NkVv27tSc+uv
S48bPGzJdo57pjyyE/mmeNlT3x7NVs8fP1tbi8CsEKUAAAAASUVORK5CYII=
</data>
</iq>
This is sent: your client → your server → my server → my client — no IP address is
included.
8:08 a.m.
New subject: Enhancing privacy for HTTP File Upload (XEP-0363)
Tedd. Good afternoon.
Yes. You are correct. I neglected it.
I meant to XEP-0363: HTTP File Upload.
Sorry for the confusion.
Schimon
On Fri, 20 Jun 2025 12:56:04 +0000
Tedd Sterr <teddsterr(a)outlook.com> wrote:
My client requests the data from your client:
<iq type='get' from='teddsterr(a)teddste.rr/b21e986c'
to='schimon(a)schim.on/a1c0fcb9'
id='213ff41b010008fc04d39795c0cde8b980839dc1'> <data
xmlns='urn:xmpp:bob'
cid='sha1+4e213cc5338c048171253fa49654b664ae50a6ed(a)bob.xmpp.org'/>
</iq>
This is sent: my client → my server → your server → your client — no
IP address is included.
Your client then replies with the requested data:
<iq type='result' from='schimon(a)schim.on/a1c0fcb9'
to='teddsterr(a)teddste.rr/b21e986c'
id='dd3552c1a3d4f05f8f22a8497d5c8a6d59d9bb4c'> <data
xmlns='urn:xmpp:bob'
cid='sha1+4e213cc5338c048171253fa49654b664ae50a6ed(a)bob.xmpp.org'
type='image/png'>
iVBORw0KGgoAAAANSUhEUgAAALQAAAB4AQMAAABhKUq+AAAABlBMVEXHSwoYDRfNXBe9AAACOUlEQVRI
x9XTsWsTURwH8N/1AsmWgA4OSkZHCx51KX24uZT+CaFDcXSwrUvgpQ46WDqLiC4dBadOStOrc+hBEAVN
L6XDDRIMBnlH8+59HS6X5N29gwSK2jc9Pvz4vd/v994jilcVANCn9LosZ//Uw//J35pdLZhd0ntjXwFZ
Rv9BhK7hXvbIMvq7EnGTL5csbrrf1ysWkwaXDyyOjPMhXrgMRym2AIUzninIBjA8YpnGygBOKTugKvD7
jQ2kCwKAjyzjHAA+KEBlTm1CIO0MAISIuO42AAUIAEgXqYDgM9c9fgsIGimPGecNprk98mPS85djjo5J
z8NH8U9tLd5C4juaF0fcXNC9nMTbrubVEUvbNvtjPQ9LnNtmr+b4jScAGpm2IgyAqQeUlCmpCEweUNKu
kqXn0z9vPIb6ShkA7JCI5FSe+q0aAPhoEFNT5x7SYbzp2gBRmNR5ShHGq0tqPDdLTLxP2En2LjQfJPtP
uhvXLO7n+E+zD0XTHB/k5BFz1mM8d4horjzRvHPg8eebOd4HMLyU+c/nYlKuIV7dyfHbZpd5/tDs4UmO
+2a/yOnrVY7v5nj5r8/5qvqzxfUgPGGD+07V3avw3QovXDtzKrT0shVc1PivVcdv7bex34YzaF33aPnr
OQZrLFx1fHdpEY6Hwt1WoUL1m1HQr/Gos8k6xS8o3MOW6Gx4dPC9F4g1LnsHfme7ja02NkVv27tSc+uv
S48bPGzJdo57pjyyE/mmeNlT3x7NVs8fP1tbi8CsEKUAAAAASUVORK5CYII= </data>
</iq>
This is sent: your client → your server → my server → my client — no
IP address is included.
9:57 a.m.
New subject: Enhancing privacy for HTTP File Upload (XEP-0363)
Le vendredi 20 juin 2025, 16:08:40 heure d’été d’Europe centrale Schimon
Jehudah a écrit :
Tedd. Good afternoon.
Yes. You are correct. I neglected it.
I meant to XEP-0363: HTTP File Upload.
Sorry for the confusion.
Schimon
For HTTP Upload, the service is usually on your XMPP server, when you send an
email, only the HTTP Upload (most of time same machine as your server) knows
your IP, and the recipient get the IP of the HTTP Upload Service. If the IP of
your server is not secret (in most case, it isn't, you would need something
like TOR to hide it), there is nothing to worry about.
When you get a file though, the HTTP Upload service of your recipient gets your
IP.
The other issue is when you receive a file/image from some random domain, in
this case the simplest option is to use a proxy which will get the file for
you.
A specification to indicate to XMPP clients where to find a proxy would be nice,
it has already been talked about in the past.
For the record, it's one of the thing that is on my TODO list if nobody does
it before (but low on my TODO list).
Best,
Goffi
11:06 a.m.
New subject: Enhancing privacy for HTTP File Upload (XEP-0363)
On Fri, 20 Jun 2025 at 16:58, Goffi <goffi(a)goffi.org> wrote:
When you get a file though, the HTTP Upload service of
your recipient gets your
IP.
The other issue is when you receive a file/image from some random domain, in
this case the simplest option is to use a proxy which will get the file for
you.
A specification to indicate to XMPP clients where to find a proxy would be nice,
it has already been talked about in the past.
The specification already exists - https://xmpp.org/extensions/xep-0215.html
Currently the XEP is well known for being the way to discover
STUN/TURN services offered by your server. It's actually generic
though, and is the perfect place to advertise a proxy service (with
associated credentials).
I plan to include such a proxy in Snikket at some point. In the
meantime, if any client devs are interested in working on this then
I'm happy to set up a test Prosody instance that advertises such a
proxy.
Regards,
Matthew
11:42 a.m.
New subject: Enhancing privacy for HTTP File Upload (XEP-0363)
Hi Matthew, I'm interested.
-tmolitor
Am 20. Juni 2025 19:06:55 MESZ schrieb Matthew Wild <mwild1(a)gmail.com>om>:
On Fri, 20 Jun 2025 at 16:58, Goffi
<goffi(a)goffi.org> wrote:
When you get a file though, the HTTP Upload
service of your recipient gets your
IP.
The other issue is when you receive a file/image from some random domain, in
this case the simplest option is to use a proxy which will get the file for
you.
A specification to indicate to XMPP clients where to find a proxy would be nice,
it has already been talked about in the past.
The specification already exists - https://xmpp.org/extensions/xep-0215.html
Currently the XEP is well known for being the way to discover
STUN/TURN services offered by your server. It's actually generic
though, and is the perfect place to advertise a proxy service (with
associated credentials).
I plan to include such a proxy in Snikket at some point. In the
meantime, if any client devs are interested in working on this then
I'm happy to set up a test Prosody instance that advertises such a
proxy.
Regards,
Matthew
_______________________________________________
Standards mailing list -- standards(a)xmpp.org
To unsubscribe send an email to standards-leave(a)xmpp.org
22 Jun
22 Jun
2:16 a.m.
New subject: Enhancing privacy for HTTP File Upload (XEP-0363)
On Fri, 20 Jun 2025 18:06:55 +0100
Matthew Wild <mwild1(a)gmail.com> wrote:
On Fri, 20 Jun 2025 at 16:58, Goffi
<goffi(a)goffi.org> wrote:
Could XEP-0215 proxify data which was sent via HTTP file upload?
Best,
Schimon
When you get a file though, the HTTP Upload
service of your
recipient gets your IP.
The other issue is when you receive a file/image from some random
domain, in this case the simplest option is to use a proxy which
will get the file for you.
A specification to indicate to XMPP clients where to find a proxy
would be nice, it has already been talked about in the past.
The specification already exists -
https://xmpp.org/extensions/xep-0215.html
Currently the XEP is well known for being the way to discover
STUN/TURN services offered by your server. It's actually generic
though, and is the perfect place to advertise a proxy service (with
associated credentials).
I plan to include such a proxy in Snikket at some point. In the
meantime, if any client devs are interested in working on this then
I'm happy to set up a test Prosody instance that advertises such a
proxy.
2:46 a.m.
New subject: Enhancing privacy for HTTP File Upload (XEP-0363)
I wonder if there is room here for the proxy to cache the data that is
transmitted. That way, the total amount of data that is transferred between
domains (when more than one person is to receive the data) could be
drastically reduced. That is useful in certain scenarios.
- Guus
Op zo 22 jun 2025 10:17 schreef Schimon Jehudah <sch(a)fedora.email>il>:
On Fri, 20 Jun 2025 18:06:55 +0100
Matthew Wild <mwild1(a)gmail.com> wrote:
On Fri, 20 Jun 2025 at 16:58, Goffi
<goffi(a)goffi.org> wrote:
Could XEP-0215 proxify data which was sent via HTTP file upload?
Best,
Schimon
_______________________________________________
Standards mailing list -- standards(a)xmpp.org
To unsubscribe send an email to standards-leave(a)xmpp.org
When you get a file though, the HTTP Upload
service of your
recipient gets your IP.
The other issue is when you receive a file/image from some random
domain, in this case the simplest option is to use a proxy which
will get the file for you.
A specification to indicate to XMPP clients where to find a proxy
would be nice, it has already been talked about in the past.
The specification already exists -
https://xmpp.org/extensions/xep-0215.html
Currently the XEP is well known for being the way to discover
STUN/TURN services offered by your server. It's actually generic
though, and is the perfect place to advertise a proxy service (with
associated credentials).
I plan to include such a proxy in Snikket at some point. In the
meantime, if any client devs are interested in working on this then
I'm happy to set up a test Prosody instance that advertises such a
proxy.
20 Jun
20 Jun
11:15 a.m.
New subject: Enhancing privacy for HTTP File Upload (XEP-0363)
Le vendredi 20 juin 2025, 17:57:54 heure d’été d’Europe centrale Goffi a écrit :
Le vendredi 20 juin 2025, 16:08:40 heure d’été
d’Europe centrale Schimon
Jehudah a écrit :
"When you send a file*" of course. Sorry, end-of-week.
Tedd. Good afternoon.
Yes. You are correct. I neglected it.
I meant to XEP-0363: HTTP File Upload.
Sorry for the confusion.
Schimon
For HTTP Upload, the service is usually on your XMPP server, when you send an
email, only the HTTP Upload (most of time same machine as
your server) knows
your IP, and the recipient get the IP of the HTTP Upload Service. If the IP of
your server is not secret (in most case, it isn't, you would need something
like TOR to hide it), there is nothing to worry about.
When you get a file though, the HTTP Upload service of your recipient gets your
IP.
The other issue is when you receive a file/image from some random domain, in
this case the simplest option is to use a proxy which will get the file for
you.
A specification to indicate to XMPP clients where to find a proxy would be nice,
it has already been talked about in the past.
For the record, it's one of the thing that is on my TODO list if nobody does
it before (but low on my TODO list).
Best,
Goffi
0
days inactive
2
days old
8 comments
6 participants
participants (6)
-
Goffi -
Guus der Kinderen -
Matthew Wild -
Schimon Jehudah -
Tedd Sterr -
Thilo Molitor