Hi Adam,
Replying to this one because there's one part I haven't grokked yet:
On 23/03/13 17:04 PM, Adam Back wrote:
Was there anyone trying to use OpenPGP and/or X.509 in IM?
I mean I know many IM protocols support SSL which itself uses X.509, but
that doesnt really meaningfully encrypt the messages in a privacy sense as
they flow in the plaintext through chat server with that model.
Right. The threat is always on the node. In which I have a tiny doubt...
Now, from the combined comments of other posters I draw that the key
factor in OTR's success was that it uses some form of ADH and doesn't
use persistent public keys at all. This then allowed an immediate
startup into secure mode, and consequently a clean and usable UI.
I can see this working directly peer to peer, because (as I claim) the
threat is always on the node. But if the IM world typically mediates
its messages, or its startup keyex, via servers, this means there is one
easy place with which to conduct any MITMs -- the servers.
Are we saying then that the threat on the servers has proven so small
that in practice nobody's bothered to push a persistent key mechanism?
Or have I got this wrong, and the clients are doing p2p exchange of
their ephemeral keys, thus dispersing the risk?
btw is anyone noticing that apparently skype is both able to eavesdrop on
skype calls, now that microsoft coded themselves in a central backdoor,
this
was initially rumoured, then confirmed somewhat by a Russian police
statement [1], then confirmed by microsoft itself in its law enforcement
requests report.
Rest is gossip:
Right. For my own part, I fully expected that when Microsoft purchased
Skype in 2011, it was only a matter of time before it was backdoored.
That link [1] seems to confirm it.
(Before Skype was purchased, the intel agencies had attack kits that
would replace either Skype or OS hooks on the victim's PC. But this
involves an invasive attack on the victim's PC which could perhaps have
been prevented by someone who was paranoid enough. The new backdoor
solution is far better for the intel people.)
Now publicly disclosed law enforcement requests reports
are good thing, started by google, but clearly those requests are getting
info or they wouldnt be submitting them by the 10s of thousands.
http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
75,000 skype related law enforcement requests, 137,000 accounts affectd
(each
call involving or more parties).
You have to wonder with that kind of mentality at microsoft (to
intentionally insert themselves into the calls, gratuitiously when it
supposedly wasnt previously architected to allow that under skype's watch),
what other nasties they've put in. Eg routine keyword scanning? Remote
monitoring (turn on microphone, camera?) Remote backdoor and rifling
through
files on the users computer. The source is more than closed, its coded
like
a polymorphic virus with extensive anti-reverse-engineering features it
would be rather hard to tell what all it is doing, and given the apparent
lack of end to end security, basically impossible to tell what they are
doing in their servers.
IMHO, it's not Microsoft that has ever been special in this respect. It
is all large companies that have a large invasive government.
Unfortunately, once a company has made its bed in a country, the side
deals are inevitable.
I think its past time people considered switching to another IM client, an
open source one with p2p routed traffic and/or end 2 end security,
preferably with some resilience to X.509 certificate authority based
malfeasance.
I have nothing particular to hide, but this level of aggressive, no-warrant
mass-scale fishing is not cricket. They are no doubt probably hoovering it
all up to store in those new massive Utah spook data centers in case they
want to do some post-hoc fishing also.
And clearly there are plenty of people with very legitimate reasons to
hide;
given the levels justice has stooped to do these days in their legal
treatment of activists (even green activists, anti-financial crimes,
corporate ethics activists, whistleblowers) - western countries are
slipping
backwards in terms of transparency and justice.
And people like us.
https://www.noisebridge.net/pipermail/noisebridge-discuss/2013-March/035200.html
iang
Adam
[1] http://www.itar-tass.com/en/c142/675600.html
On Sat, Mar 23, 2013 at 01:36:34PM +0000, Ben Laurie wrote:
On 23 March 2013 09:25, ianG <[email protected]> wrote:
Someone on another list asked an interesting question:
Why did OTR succeed in IM systems, where OpenPGP and x.509 did not?
Because Adium built it in?
(The reason this is interesting (to me?) is that there are not so many
instances in our field where there are open design competitions at this
level. The results of such a competition can be illuminating as to what
matters and what does not. E.g., OpenPGP v. S/MIME and SSH v. secure
telnet
are two such competitions.)
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
