List Info

Thread: Re: Off-the-Record messaging for Psi
Re: Off-the-Record messaging for Psi
country flaguser name
United Kingdom		 2007-10-08 04:11:19 
On 17 Aug 2007, at 00:56, Hal Rottenberg wrote:
> On 8/16/07, Raffael <rjr84student.canterbury.ac.nz> wrote:
>> Will this patch be included into the .11 release?
Or is it already
>> part of the nightly (OSX) builds?
>
> We're feature frozen for 0.11, just bugfixes go in. 
When 0.11 is
> released, then this would be under consideration by Kev
& the devs.

Sadly, using OTR in this way doesn't add very much security:
if c2s  
and s2s streams are encrypted anyway the only thing that end
to end  
encryption, like OTR, provides is protection against a
malicious or  
compromised server. OTR doesn't provide protection against
this  
(indeed, there's even an ejabberd module to automatically
log  
decrypted OTR messages) because there is no out-of-band
verification.  
If security isn't important, you could send it plain-text,
and if it  
is important OTR won't provide it, sadly.

Best,
/K
_______________________________________________
Psi-Devel mailing list
Psi-Devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
Re: Off-the-Record messaging for Psi
user name
 2007-10-08 06:24:39 
On 10/8/07, Kevin Smith <kevinkismith.co.uk> wrote:
> If security isn't important, you could send it
plain-text, and if it
> is important OTR won't provide it, sadly.

Any activity from the XMPP Council lately on this topic?

-- 
Blog: http://halr9000.com
Webmaster, Psi (http://psi-im.org)
Co-host, PowerScripting Podcast (http://powerscripting.net)
_______________________________________________
Psi-Devel mailing list
Psi-Devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
Re: Off-the-Record messaging for Psi
country flaguser name
Germany		 2007-10-08 07:00:58 
On 0ct-2007
Kevin Smith wrote:
[...]
> Sadly, using OTR in this way doesn't add very much
security: if c2s  
> and s2s streams are encrypted anyway the only thing
that end to end  
> encryption, like OTR, provides is protection against a
malicious or  
> compromised server. OTR doesn't provide protection
against this  
> (indeed, there's even an ejabberd module to
automatically log  
> decrypted OTR messages) because there is no out-of-band
verification.  
> If security isn't important, you could send it
plain-text, and if it  
> is important OTR won't provide it, sadly.


OTR uses authentication with DSA keys. You can be sure there
is no
man-in-the-middle attack. Of course, you have to verify the
fingerprints of
the public keys. With other encryption protocols it's the
same problem. 


timo.




_______________________________________________
Psi-Devel mailing list
Psi-Devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )