mod_otr: Man in the midle for OTR (module for ejabberd)

jeudi 29 mars 2007 à 17:47 :: #20 :: rss

In the jabber world, almost every connection between different entities (clients and servers) are encrypted using TLS. But some people claim that it's not enough, because the server can still read the messages. The solution, for paranoic people that can't trust their server, is to use end to end (e2e) encryption, such as OTR.

OTR (for Off The Record messaging) is a protocol that make the e2e encryption easy. But it is vulnerable to the man in the middle attack, specially because the server can read and modify all messages. To prevent against this attack, user must check carefully the peer's fingerprint using another media, but honestly, who does that ?

Recently, Michael Zanetti announced he was working on an implementation of OTR for Kopete.
I have now a working implementation of OTR on the hand. And I decided to break it

That's why I wrote mod_otr . It is a module for ejabberd, which do the man in the middle attack at server level. It will intercept message and decrypt them. It can be used in combination with the mod_logmnesia module which log all messages.

The problem I have with e2e encryption is that it make impossible some other desirable feature such as automatic message history on the server. ^[1] All the proposals of an easy to use e2e encryption suffer from the same problem. The lambda user don't really care about privacy, so they will never check their fingerprints.

Download

The source code of mod_otr is there:
http://bepointbe.be/files/mod_otr-20070329.tar.gz

The instructions about how to install are in the README file

Notes

[1] for which i have made an implementation, see mod_archive

Commentaires

1. Commentaire de ole

Le jeudi 29 mars 2007 à 19:00

you can store the history on the server encrpyted , and if the user wants to see the messages he has the key.

2. Commentaire de Thomas Zander

Le vendredi 30 mars 2007 à 09:06

Doesn't kopete already support gpg encryption? Thats the best e2e kind of encryption possible (since its based on a personal identity, not a server identity) and you can store things on the server without problems. Storing on server works since you just use your own private key to decrypt stuff locally.

Wondering.

3. Commentaire de Gof

Le vendredi 30 mars 2007 à 09:28

You can't store OTR messages, because a key session is used, and the key session is not stored

PGP encryption doesn't suffer from this problem, but PGP encryption is not user friendly (you need to create your private key, and share it)

4. Commentaire de Nÿco

Le vendredi 30 mars 2007 à 09:38

The OpenPGP usage in IMP is not that good:
www.xmpp.org/extensions/x...

5. Commentaire de steve

Le vendredi 30 mars 2007 à 14:25

You can digg this: digg.com/security/Man_in_...

6. Commentaire de ian paterson

Le vendredi 30 mars 2007 à 15:21

Hi Olivier,

First of all, congratulations! I think it is really really cool that you implemented this module and made it available. It will help raise consciousness regarding security issues. Thank you.

Regarding your doubts about the value of e2e... Do you check the fingerprint whenever you use SSH for the first time with a server? Assuming you don't (since most people don't), do you believe SSH offers you more security than telnet? Do you assign any value to that security? Assuming you do, why is e2e different?

Security is not free. Even with e2e it is perfectly possible to archive messages on your server in a way that is 100% transparent to the user. Your client could even send the e2e decryption keys to your server to allow it to archive automatically (that way you are still protected against a compromise of your contact's server). Alternatively your client can push the decrypted messages back to the server (probably re-encrypted using xmlenc). Security is not free.

BTW, assuming OTR caches contact's public keys, your MITM module will have to be present from the very first communication between the two clients (just as with SSH).

"All the proposals of an easy to use e2e encryption suffer from the same problem."

ESessions employs Short Authentication String (SAS). This is an authentication technique which (although it is still not transparent) is a much more human friendly method than public key fingerprint comparison.

7. Commentaire de Thomas Zander

Le vendredi 30 mars 2007 à 19:34

Gof wrote;
"PGP encryption doesn't suffer from this problem, but PGP encryption is not user friendly (you need to create your private key, and share it)"

Very true. One thing that would go a long way to making this more user friendly is to increase support in apps like kopete (and KMail etc). Things like having a remote client ask for the public key and then sending it automatically is one thing. This, naturally, should happen without user interaction.
The only hard part left, then, is to ask the user to do the real checking that the key belongs to the remote user. Without it you can locally sign, or just not sign, and send the messages encrypted.

But the basic personal identity v.s. the server identity that gpg imposes already goes a long way in ensuring better security.

In short; I'm convinced if we automate a lot of the hard part of gpg we can let a larger group of people enjoy its features.

8. Commentaire de berkus

Le dimanche 1 avril 2007 à 14:39