2019 has been a tough but great year. We’re now in 2020, although we can’t quite celebrate a decade of XMPP.is, we will in 2025. I’d like to say thank you to all of you wonderful and supportive users for a great year. This server has been around for almost 5 years now and won’t be going away anytime soon. A lot of improvements were made in 2019, which can all be seen in the posts here on this site and in the GitHub repo.
I reached my donation goal of $256 (surpassed it actually at $265). This doesn’t even include the cryptocurrency donations I’ve received either! Thanks to all who donated! It means a lot to receive such awesome support. I’ve updated the donation goal for 2020 and set the same goal of $256 USD.
I run this project for fun, but it’s also something I’ve taken more seriously over the years. The fact is, XMPP.is is in use by activists around the world along with people who just want to communicate securely and privately with their friends and family. It has become important for many individuals and I intend to continue supporting it for as long as possible.
Happy New Year everyone!
Thanks to help from the Prosody developers, I applied changes to the core Prosody code which fixes SNI. This in turn solves the issue with Google captcha returning an invalid response. Registrations now work once again! This time I’ll be sticking with Google captcha, as other solutions have allowed bots to register tens of thousands of accounts in a quick period of time.
The changes made to fix SNI were pushed to Prosody’s trunk branch, which contains unstable code. Rather than switching entirely to Prosody trunk, I applied the code from the trunk branch only to fix SNI. If you’re curious, the changes came from hg.prosody.im/trunk/rev/d4390c427a66 and hg.prosody.im/trunk/rev/6c804b6b2ca2. The commit I made at GitHub is here as well github.com/cryptoworld-git/xmpp.is/commit/dec09989c3164903588cf41b6e7ba4ca3eadf2c9.
I decided to make these changes because of the growing popularity of the server. I also know that the server is used by activists, journalists and people simply looking for a secure and privacy friendly way to chat. This is very important to me, so happy chatting!
I’m sorry to inform everyone that registrations will be closed again. It feels like a roller-coaster with blog posts about registrations now. I discovered that, over the past 2 days 162,000 accounts have been registered on the server. Someone has found a way around our modified captcha code and made a script to bypass it. github.com/cryptoworld-git/mod_register_web
At this time Prosody stable does not support SNI in their HTTP library. I have enabled Google’s captcha but it will not work without SNI support from Prosody. Please see this tweet for further details: twitter.com/xmpp_is/status/1184830071644839936
ALL accounts registered within the past 2 days will be deleted, I’m very sorry for this, but I do not have the time to sort through all of the accounts (162k of them). If you’d like a new account, please contact me via email xmpp.is/contact
Registrations are back… Yes, this is the 2nd time now. The cause of registrations breaking this time was an issue with Prosody’s HTTP library not supporting SNI. I am unsure what changed or happened exactly as it was working fine on Debian 9. After the upgrade to Debian 10 it broke. Unfortunately the Prosody devs likely don’t have much time to work on the issue, so a generous contributor Nathaniel Suchy improved the default captcha. This is good because we no longer have to use Google’s captcha (privacy issue). Nathaniel obfuscated the captcha code to make it harder for bots to automatically solve. Thank you Nathaniel!
Nathaniel made numerous commits to the mod_register_web module code. Nathaniel also made some changes to our mod_register_web theme code.
Check out Nathaniel’s blog if you have time to spare!
Registrations are now back after a long period of being disabled. As you may have noticed, there was a large attack in which hundreds of thousands of accounts were registered in a couple days.
The abuser was able to bypass the terrible captcha that mod_web_register provides by default. It’s unfortunately easy to guess and as we saw, a person with enough dedication can make a script to spam register. As of now I’ve enabled Google’s recaptcha (begrudgingly) as a workaround for now. The public and private keys for that are injected via our prosody-secrets.sh script if you’re curious. The configuration on our GitHub did not need to be updated for this. We haven’t had much time to modify the Lua of the module, but plan to in the future with our git fork of the code github.com/cryptoworld-git/mod_register_web. If you’d like to contribute to that, we’d greatly appreciate it. If you have any questions don’t hesitate to contact!