Re: Off-the-Record messaging for Psi

Thread: Re: Off-the-Record messaging for Psi

Search this list only Search all lists
Re: Off-the-Record messaging for Psi
United Kingdom	2007-10-08 08:38:49
On 8 Oct 2007, at 14:31, Timo Engel wrote: >> Is that exposed in this plugin? I've not noticed any client >> presenting keys for oob verification before (in fact, Psi is one of >> the relatively few clients that does SSL cert checking). > > The OTR-Plugins for Psi and Gaim store a list of known > fingerprints. If a > contact requests a secure OTR-connection with a different > fingerprint (e.g. in > case of a man-in-the-middle attack) a warning is shown to the user. I take it back and apologise then. /K _______________________________________________ Psi-Devel mailing list Psi-Devellists.affinix.com http://lists.affinix.com/listinfo.cgi/psi-devel-affin ix.com

Re: Off-the-Record messaging for Psi
United Kingdom	2007-10-15 01:19:19
On 8 Oct 2007, at 14:38, Kevin Smith wrote: > On 8 Oct 2007, at 14:31, Timo Engel wrote: >> The OTR-Plugins for Psi and Gaim store a list of known >> fingerprints. If a >> contact requests a secure OTR-connection with a different >> fingerprint (e.g. in >> case of a man-in-the-middle attack) a warning is shown to the user. > I take it back and apologise then. I've now had several people mail me out of band to say I'm not wrong, so we should probably clarify. If these fingerprints are stored automatically then it's worthless, because it's susceptible to MITM (which was my original belief). If these fingerprints are stored manually after out of band verification then it's secure. /K _______________________________________________ Psi-Devel mailing list Psi-Devellists.affinix.com http://lists.affinix.com/listinfo.cgi/psi-devel-affin ix.com

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )