Re: [Gajim-devel] XEP-0065 encryption

2016-04-14 Thread Yann Leboulanger 
On 04/14/2016 10:48 PM, Yann Leboulanger wrote:
> On 04/13/2016 12:24 PM, Илья Валеев wrote:
>>  
>>> Gajim automatically tries jingle FT first, and encryption if both
>>> parties support it. But except by reading XML, you currently can't
>>> know nor enforce encryption. Suggestions welcome.
>> For example: new string option "file_transfer" (maybe conflict with
>> "use_ft_proxies") with this variants:
>>
>> *I.* auto
>> Default value, act as Gajim act today.
>>
>> *II.* inband
>> Send files with IBB.
>>
>> *III.* proxy
>> Send it with proxy defined in XEP-0065
>>
>> *IV.* jingle
>>
>> *Also:*
>> - Display icon for every position in list of transferring files, which
>> display encrypted transfer or not (for example, green closed lock and
>> red open lock)
>> - Warn user when file transfer is not encrypted before transfer starts
>> and give choise, continue without encryption or not
>>
>> Think that such transparency will help not only me, but all people
>> that cares about there security.
>>
>> I use gpg and in my case IBB would be encrypted, right? What kind of
>> encryption can offer jingle (I hear that XTLS
>>  is deprecated)?
>> Is there any possibilities of end-to-end encrypting proxy filetransfer?
> You mixed several things: The way to negociate the transfer, the
> transport used to do it. Jingle and proxy are not orthogonal.
> Moreover, IBB should only be used as a fallback way. It uses a lot of BW
> and CPU for the server, and it's slow. Servers are not done to transfer
> so much data.
> I agree that displaying an encryption icon is a must have, and I already
> thought about that.
> Warn the user could be an option, but with a "do not warn me anymore"
> checkbox. Because that could annoy a lot on every transfer.
> IBB is NOT encrypted. you send your file plain. The link to your server
> may be encrypted if you're connect securely. But:
>  - the server owner has the file plain
>  - you have no idea if the S2S connection is secure
>  - you have no idea if the connection between your contact and his
> server is secure
>
> Once again, GPG is not used to encrypt / sign a file before it's sent.
>
> We indeed use XTLS even if this XEP has never been released
>
This is what we use:
http://xmpp.org/extensions/inbox/jingle-xtls.html
___
Gajim-devel mailing list
Gajim-devel@gajim.org
https://lists.gajim.org/cgi-bin/listinfo/gajim-devel

Re: [Gajim-devel] XEP-0065 encryption

2016-04-14 Thread Yann Leboulanger 
On 04/13/2016 12:24 PM, Илья Валеев wrote:
>  
>> Gajim automatically tries jingle FT first, and encryption if both
>> parties support it. But except by reading XML, you currently can't
>> know nor enforce encryption. Suggestions welcome.
> For example: new string option "file_transfer" (maybe conflict with
> "use_ft_proxies") with this variants:
>
> *I.* auto
> Default value, act as Gajim act today.
>
> *II.* inband
> Send files with IBB.
>
> *III.* proxy
> Send it with proxy defined in XEP-0065
>
> *IV.* jingle
>
> *Also:*
> - Display icon for every position in list of transferring files, which
> display encrypted transfer or not (for example, green closed lock and
> red open lock)
> - Warn user when file transfer is not encrypted before transfer starts
> and give choise, continue without encryption or not
>
> Think that such transparency will help not only me, but all people
> that cares about there security.
>
> I use gpg and in my case IBB would be encrypted, right? What kind of
> encryption can offer jingle (I hear that XTLS
>  is deprecated)?
> Is there any possibilities of end-to-end encrypting proxy filetransfer?

You mixed several things: The way to negociate the transfer, the
transport used to do it. Jingle and proxy are not orthogonal.
Moreover, IBB should only be used as a fallback way. It uses a lot of BW
and CPU for the server, and it's slow. Servers are not done to transfer
so much data.
I agree that displaying an encryption icon is a must have, and I already
thought about that.
Warn the user could be an option, but with a "do not warn me anymore"
checkbox. Because that could annoy a lot on every transfer.
IBB is NOT encrypted. you send your file plain. The link to your server
may be encrypted if you're connect securely. But:
 - the server owner has the file plain
 - you have no idea if the S2S connection is secure
 - you have no idea if the connection between your contact and his
server is secure

Once again, GPG is not used to encrypt / sign a file before it's sent.

We indeed use XTLS even if this XEP has never been released

-- 
Yann
___
Gajim-devel mailing list
Gajim-devel@gajim.org
https://lists.gajim.org/cgi-bin/listinfo/gajim-devel