Gof's weblog - Commentaires
http://blog.bepointbe.be/index.php/
fr2007-04-02T13:23:25+02:00daily12007-04-02T13:23:25+02:00trackback - mod_otr: Man in the midle for OTR (module for ejabberd) - anothr user
http://blog.bepointbe.be/index.php/2007/03/29/20-mod_otr#c388
2007-04-02T13:23:25+02:00anothr userAnothr feed track -Planet JabberFR
One new subscriber from Anothr Alerts:...
Anothr feed track -Planet JabberFR
One new subscriber from Anothr Alerts:
]]>mod_otr: Man in the midle for OTR (module for ejabberd) - berkus
http://blog.bepointbe.be/index.php/2007/03/29/20-mod_otr#c387
2007-04-01T14:39:26+02:00berkusOTR is called so for a reason - Off the record means "Do not record anything".
Why would you ever need to store these messages?...OTR is called so for a reason - Off the record means "Do not record anything".
Why would you ever need to store these messages?]]>mod_otr: Man in the midle for OTR (module for ejabberd) - Thomas Zander
http://blog.bepointbe.be/index.php/2007/03/29/20-mod_otr#c386
2007-03-30T19:34:44+02:00Thomas ZanderGof wrote;
"PGP encryption doesn't suffer from this problem, but PGP encryption is not user friendly (you need to create your private key, and share it)"
Very true. One thing that would go a long way to making this more user friendly is to increase support in apps like kopete (and...Gof wrote;
"PGP encryption doesn't suffer from this problem, but PGP encryption is not user friendly (you need to create your private key, and share it)"
Very true. One thing that would go a long way to making this more user friendly is to increase support in apps like kopete (and KMail etc). Things like having a remote client ask for the public key and then sending it automatically is one thing. This, naturally, should happen without user interaction.
The only hard part left, then, is to ask the user to do the real checking that the key belongs to the remote user. Without it you can locally sign, or just not sign, and send the messages encrypted.
But the basic personal identity v.s. the server identity that gpg imposes already goes a long way in ensuring better security.
In short; I'm convinced if we automate a lot of the hard part of gpg we can let a larger group of people enjoy its features.]]>mod_otr: Man in the midle for OTR (module for ejabberd) - ian paterson
http://blog.bepointbe.be/index.php/2007/03/29/20-mod_otr#c385
2007-03-30T15:21:25+02:00ian patersonHi Olivier,
First of all, congratulations! I think it is really really cool that you implemented this module and made it available. It will help raise consciousness regarding security issues. Thank you.
Regarding your doubts about the value of e2e... Do you check the fingerprint whenever you...Hi Olivier,
First of all, congratulations! I think it is really really cool that you implemented this module and made it available. It will help raise consciousness regarding security issues. Thank you.
Regarding your doubts about the value of e2e... Do you check the fingerprint whenever you use SSH for the first time with a server? Assuming you don't (since most people don't), do you believe SSH offers you more security than telnet? Do you assign any value to that security? Assuming you do, why is e2e different?
Security is not free. Even with e2e it is perfectly possible to archive messages on your server in a way that is 100% transparent to the user. Your client could even send the e2e decryption keys to your server to allow it to archive automatically (that way you are still protected against a compromise of your contact's server). Alternatively your client can push the decrypted messages back to the server (probably re-encrypted using xmlenc). Security is not free.
BTW, assuming OTR caches contact's public keys, your MITM module will have to be present from the very first communication between the two clients (just as with SSH).
"All the proposals of an easy to use e2e encryption suffer from the same problem."
ESessions employs Short Authentication String (SAS). This is an authentication technique which (although it is still not transparent) is a much more human friendly method than public key fingerprint comparison.]]>mod_otr: Man in the midle for OTR (module for ejabberd) - steve
http://blog.bepointbe.be/index.php/2007/03/29/20-mod_otr#c384
2007-03-30T14:25:42+02:00steveYou can digg this: digg.com/security/Man_in_......You can digg this: digg.com/security/Man_in_...]]>mod_otr: Man in the midle for OTR (module for ejabberd) - Nÿco
http://blog.bepointbe.be/index.php/2007/03/29/20-mod_otr#c383
2007-03-30T09:38:59+02:00NÿcoThe OpenPGP usage in IMP is not that good:
www.xmpp.org/extensions/x......The OpenPGP usage in IMP is not that good: www.xmpp.org/extensions/x...]]>mod_otr: Man in the midle for OTR (module for ejabberd) - Gof
http://blog.bepointbe.be/index.php/2007/03/29/20-mod_otr#c382
2007-03-30T09:28:56+02:00GofYou can't store OTR messages, because a key session is used, and the key session is not stored
PGP encryption doesn't suffer from this problem, but PGP encryption is not user friendly (you need to create your private key, and share it)...You can't store OTR messages, because a key session is used, and the key session is not stored
PGP encryption doesn't suffer from this problem, but PGP encryption is not user friendly (you need to create your private key, and share it) ]]>mod_otr: Man in the midle for OTR (module for ejabberd) - Thomas Zander
http://blog.bepointbe.be/index.php/2007/03/29/20-mod_otr#c381
2007-03-30T09:06:52+02:00Thomas ZanderDoesn't kopete already support gpg encryption? Thats the best e2e kind of encryption possible (since its based on a personal identity, not a server identity) and you can store things on the server without problems. Storing on server works since you just use your own private key to decrypt stuff...Doesn't kopete already support gpg encryption? Thats the best e2e kind of encryption possible (since its based on a personal identity, not a server identity) and you can store things on the server without problems. Storing on server works since you just use your own private key to decrypt stuff locally.
Wondering.]]>mod_otr: Man in the midle for OTR (module for ejabberd) - ole
http://blog.bepointbe.be/index.php/2007/03/29/20-mod_otr#c380
2007-03-29T19:00:51+02:00oleyou can store the history on the server encrpyted , and if the user wants to see the messages he has the key....you can store the history on the server encrpyted , and if the user wants to see the messages he has the key.]]>