On Fri, 2007-04-13 at 14:16 +0100, Ian Paterson wrote: > If you (sometimes) don't check SSH fingerprints, and you still believe > SSH has value, then can you reasonably argue that something like > ESessions doesn't?
Versus a casual or targeted attacker, I can, because like most people I am pretty trusting of Internet routing. Even if the ssh retained secret doesn't give much added assurance that I'm connecting to the proper host, the Diffie-Hellman exchange prevents passive eavesdropping, which was the bigger concern in the first place. Even anonymous TLS over all of the links would give that advantage in XMPP. You correctly point out that ESessions does have value in combatting dragnet-style surveillance, and of course it has value to users who are diligent about their security.
