Re: Encryption plugins for gaim
On 14/03/05 Adam Fields said: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. If you use jabber, note that the Psi client supports 2-person PGP encrypted conversations. I sometimes find it useful. http://psi.affinix.com/ Mike -- Michael P. Soulier [EMAIL PROTECTED] http://www.digitaltorque.ca http://opag.ca python -c 'import this' Jabber: [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: Encryption plugins for gaim
On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote: Why not help us make Jabber/XMPP more secure, rather than overloading AIM? With AIM/MSN/Yahoo your account will always exist at the will of Unfortunately, I already have a large network of people who use AIM, and they all each have large networks of people who use AIM. Many of them still use the AIM client. Getting them to switch to gaim is feasible. Getting them to switch to Jabber is not. However, getting them to switch to gaim first, and then ultimately Jabber might be an option. Frankly, the former is more important to me in the short term. AOL, whereas with XMPP you can run your own server etc. Unfortunately Does can == have to? From what I remember of trying to run Jabber a few years ago, it did. the original Jabber developers did not build encryption in from the beginning and the existing methods have not been implemented widely (OpenPGP over Jabber) or are not very Jabberish (RFC 3923), so we need to improve what we have. Contributions welcome. See here for pointers: http://www.saint-andre.com/blog/2005-03.html#2005-03-15T11:23 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
On Tue, Mar 15, 2005 at 02:47:35PM -0500, Ian Goldberg wrote: this is actually a very good solution for me. The only thing I don't like about it is that it stores the private key on your machine. I understand why that is, but it also means that if you switch machines with the same login (home/work), you have to reverify the fingerprint out of band (assuming you care enough to do that in the first place). You can also just copy your otr.private_key file around. See, for example, http://chris.milbert.com/AIM_Encryption/ It would be helpful if you could specify the location of the private key file, so then it could be on a thumb drive or something similar. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
On Tue, Mar 15, 2005 at 02:14:48PM -0500, Ian Goldberg wrote: OTR works over Jabber today. Granted, it's not very Jabberish (as far as I understand the term; I don't know the Jabber protocol very well): it just replaces the text of the message with ciphertext. [gaim, at least, doesn't seem to have a way to construct a more Jabberish message, as far as I could tell.] I'd be more than happy to help Jabber-ify the OTR protocol. The reason we designed OTR was exactly that the GPG-over-IM solutions have semantics that don't match those of a private conversation: you have long-term encryption keys, as well as digital signatures on messages. You don't *want* Bob to be able to prove to Charlie that Alice said what she did. [Yet you want Bob to be himself assured of Alice's authorship.] And a compromise of Bob's computer tomorrow should not expose today's messages. OTR also adds a couple of extra features (malleable encryption, publishing of the MAC keys, a toolkit for forging transcripts) to help Alice claim that someone's putting words in her mouth. Obviously I need to read up more on OTR, but thanks for the offer of assistance -- I'll reply further when my level of ignorance is not quite so high as it is now. /psa - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
Ian G wrote: Adam Fields wrote: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. Specifically, I note gaim-otr, authored by Ian G, who's on this list. Just a quick note of clarification, there is a collision in the name Ian G. 4 letters does not a message digest make. Perhaps if you were to prepend a random serial number to your name this problem would be alleviated? Best wishes, Jim Cheesman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
At 10:19 PM 3/13/2005, Adam Fields wrote: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. AOL says that the ToS bits are only for things like chatrooms; user-to-user AIM traffic doesn't even go through their servers. That doesn't mean they can't eavesdrop on it if they want to, or that they don't have mechanisms for automating MITM, so you may very well want to use encryption, but at least in the normal case your traffic is relatively private. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
On Tue, Mar 15, 2005 at 09:33:51PM +0100, Jim Cheesman wrote: | Ian G wrote: | | Adam Fields wrote: | | Given what may or may not be recent ToS changes to the AIM service, | I've recently been looking into encryption plugins for gaim. | Specifically, I note gaim-otr, authored by Ian G, who's on this list. | | | Just a quick note of clarification, there is a collision | in the name Ian G. 4 letters does not a message digest | make. | | | Perhaps if you were to prepend a random serial number to your name this | problem would be alleviated? They'd both randomly choose pi. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
In message [EMAIL PROTECTED], Peter Saint-Andre writes: On Tue, Mar 15, 2005 at 02:02:31PM -0500, Adam Fields wrote: On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote: Why not help us make Jabber/XMPP more secure, rather than overloading AIM? With AIM/MSN/Yahoo your account will always exist at the will of Unfortunately, I already have a large network of people who use AIM, and they all each have large networks of people who use AIM. Many of them still use the AIM client. Getting them to switch to gaim is feasible. Getting them to switch to Jabber is not. However, getting them to switch to gaim first, and then ultimately Jabber might be an option. Frankly, the former is more important to me in the short term. Yep, the same old story. :-) AOL, whereas with XMPP you can run your own server etc. Unfortunately Does can == have to? From what I remember of trying to run Jabber a few years ago, it did. No, we have 200k registered users on the jabber.org server and some servers have even more. You can run your own server, though, and accept connections only from other servers you trust, etc. Let me second the recommendation for jabber (though I wish the code quality of some of the components were better). The protocol itself supports TLS for client-to-server encryption; you can also have AIM (or other IM) gateways on that server. In many situations (i.e., wireless), it protects the most vulnerable link from eavesdropping. While clearly not as good as end-to-end encryption, it's far better than nothing, especially in high-threat environments such as the IETF... (Of course, I only know of one open source client -- psi -- that checks the server certificate.) In theory, server-to-server communications can also be TLS-protected, though I don't know if any platforms support that. On top of any other encryption, many implementations support PGP encryption between correspondents. I don't know of any support for e2e-encrypted chat rooms. I haven't played with OTR, nor am I convinced of the threat model. That said, what you really need to watch out for is the transcript files on your own machine... --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
Adam Fields wrote: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. Specifically, I note gaim-otr, authored by Ian G, who's on this list. Just a quick note of clarification, there is a collision in the name Ian G. 4 letters does not a message digest make. Gaim-otr as I understand it is authored by Nikita Borisov and Ian Goldberg [EMAIL PROTECTED]. It can be acquired here: http://www.xelerance.com/mirror/otr/ and here are some other links: http://www.emergentchaos.com/archives/000715.html Just to confuse the issue I also am working on a private instant messaging service which is markedly different, in that I am taking a payment system and reworking it into an IM system: http://www.financialcryptography.com/mt/archives/000379.html But I haven't got around to a download yet. And it's not AIM compatible, as it works through its host payment system. Ian - would you care to share some insights on this? Is it ready for prime time or just a proof-of-concept? Any known issues? Over to Ian G. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
On Mon, Mar 14, 2005 at 01:19:04AM -0500, Adam Fields wrote: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. Specifically, I note gaim-otr, authored by Ian G, who's on this list. Ian - would you care to share some insights on this? Is it ready for prime time or just a proof-of-concept? Any known issues? If you want encryption with authentication, there's the gaim-encryption plugin. I get the feeling gaim-otr is for more specific circumstances. -- Taral [EMAIL PROTECTED] This message is digitally signed. Please PGP encrypt mail to me. A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? pgpfHgRbHTkPG.pgp Description: PGP signature