Adrien Béraud <[email protected]> writes: > Those security concerns, mainly coming from a Tox developer, are mostly > unfounded IMO, > but it's always a good practice to exchange with the community and to explain > how Ring works. > > I tried to answer the best I could in a reasonable length: > > https://security.stackexchange.com/a/162603/151701
Thanks for posting the link. From previous discussions I understood about using ring keys to authenticate and PFS. The comments about OTR and axolotl seem off base. PFS is not that difficult in a system where peers are connected, which you need anyway for a voice call. But I think this does lead to ring messaging only working if both parties are online/reachable at once. I had either asked about the DHT address privacy issue, or thought I should and not sent the mail, but your answer also answers that. As I suspected, you are agreeing that registering ring key/IP in the DHT allows someone to track what IP address that ring id has when. While I agree on the general point that there are tradeoffs and no perfect approaches, I see this as significant. It would be good for ring.cx's website to have a security page that's basically a slight expansion of your stackexchange answer, where a user could understand the key points of peer authentication, encryption/pfs, and exposure of IP address.
signature.asc
Description: PGP signature
