-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2014.01.31 15.49, Nicolás Reynolds wrote: > i suggested the idea of otr requirement to prosody devs :)
Thanks! > Re: [prosody-users] mod_require_otr?.eml Subject: Re: > [prosody-users] mod_require_otr? From: Matthew Wild > <[email protected]> Date: 2014.01.31 15.31 To: Prosody IM Users > Group <[email protected]> ... > Another concern might be that it encourages users to use OTR > without authenticating their contacts properly. Just a short note here -- we'd still prefer that people use OTR even without authentication, as it turns a passive attack (assuming server/SSL key compromise) into an active one. Yes, users need to understand what the risks are, but in the vast majority of outcomes, they'll be better off. Currently, many clients only support a single, heavyweight trust declaration for fingerprints and will not warn you when a fingerprint changes if you haven't verified it. If clients notified on every fingerprint change, it would be *much* easier to detect periodic active attacks even without verification. Likewise, they mostly only support a single fingerprint per user, which vastly complicates use with multiple (mobile/desktop, for instance) clients. In all cases I've seen, actual fingerprint management (outside of verification) is poor to nonexistent. All of these are areas we should consider improvement in. E. - -- Ideas are my favorite toys. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iF4EAREIAAYFAlLs5aIACgkQQwkE2RkM0wrZGQEAlv3nuERxGzFsBckDBZYonXfG mI1p7sinxJXUpTLqblEA/jmXpoXeuq7BDpQ4MKG8LhB0tkmOOiQkQ2QWLqT8iy0B =eH50 -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
