On Mon, Jan 14, 2013 at 4:02 PM, Info . <[email protected]> wrote: > aboute securely you are exchange only public keys, not private...... u send > public keys directly to your opponent by jabber..... (not to any server) > in this way MITM attack will have no meaning. > without private keys - nothing is impossible to decrypt...
I assume you mean that the user is not asked to verify the key fingerprint out of band (else it wouldn't be automatic). If you're not doing this, how can you guarantee that the public key belongs to the right person and hasn't been MITMed? Do you mean that the keys are sent peer to peer, without sending them through the XMPP stream? If so, how are these P2P connections negotiated? If they're negotiated over XMPP then the security profile is pretty much the same as if the keys themselves were sent over XMPP too, isn't it? /K _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
