Am Dienstag, 6. M?rz 2007 07:18 schrieb Volodya: > 'Authorised peer' will tell you that an was unable to connect, and then > you know that somebody intercepted the password. If the MITM has the ability not only to read the IP+OTP messages, but to redirect the traffic from IP-A to IP-B through his fake node, then you can not distinguish MITM and peer. out of band by phone, PGP or handwritten papermail would be the best proof in that case.
> Like i said it is *still* a 1 time password, meaning that if real user > typed it the intruder won't be able to use it, so intruder must do it > before the real peer does, which will raise the alarm since that peer > is your friend and you will be immediately informed that 'pass doesn't > work, mate'. not really... the MITM could try to use the both passwords immediately and fake the both other sides. If you dont have out-of-band means to verify the information from the peer node, you have a connection to the wrong node and only see the forged verification. good byte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20070306/0c59cce4/attachment.pgp>
