2014-08-19 19:26 GMT+02:00 Travis Biehn <[email protected]>: > because XMPP supports federation along a mix of TLS and > plaintext interconnects that OTR is therefore susceptible to a man in the > middle attack. This is absolutely correct.. XMPP routers may indeed be > compromised. > > Key federation under the OTR scheme: in order to be confident that the > endpoints are chatting to each other through a secure channel they must > exchange key fingerprints out of band (then) > both endpoints can be reasonably sure that they are communicating over > a secure channel - regardless of the maliciousness of the XMPP routers that > they are connecting through. > > The problem after key federation and the reason that these protocols (BAR, > ECHO, A(daptive)ECHO, Clique etc) exist. They are trying to resolve the > metadata > aspect of communication. OTR protects message content but does not make any > efforts at obscuring metadata
Dear Travis, both must be done, using strong multi-encryption and hiding in the crowd. If XMPP would offer real end to end encryption and not only point to point encryption, OTR would be more secure in the phase of an initial certificate handshake of a man in the middle attack. Offline Messaging and receiving authenticated (which means to block non-authenticated messages) and re-newing the encryption key per session would be other security topics. The architecture is currently an insecure mosaic, so it makes sense to focus on these new securtiy protocols and research them too. Echocasting or Broadcasting or Flooding, whatever you call the echo protocols, could be analysed in regard of either bandwidth and further scalability. Bandwidth could only be on a mobile a real problem, so I wonder which of the new ideas are mobile ready. Sims.me/security (mobile messenger by DHL Logistics) by the way has a similar encryption architecture and sets a new standard for XMPP. But it is not open source and graph theory is simple here; even for a round table graph theory is quite trivial to explore: http://en.wikipedia.org/wiki/Graph_theory Regards Randolph -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
