On Thu Oct 2 14:23:35 2008, Pavel Simerda wrote:
> I admit I find it hard to see how you can have a secure and
> *trusted* connection without loss of privacy. But I'm not an
expert
> on security.
Secure connections just requires mutual authentication.
I'm not sure that's true, it's simply that some form of mutual
authentication is the easiest method of avoiding MITM attacks - I'm
not sure there's any other way, but I wouldn't rule it out. Remember,
too, that a channel may be secure from the perspective of one party,
but not another.
What we generally talk about is exchanging, or comparing, a token
derived from the session, but given that we're encouraging people to
exchange or compare over the telephone or in real life, this hardly
seems to give better privacy.
Any form of authentication is, after all, the act of proving an
asserted identity, and that seems to me to be leaking *some*
additional information.
> I don't understand why a direct or mediated TCP connection is less
> reliable than a C2S + S2S * 2 + C2S set of connections. I think a
> direct connection is the most reliable of them all because I've
got
> instant notification when something goes wrong: the connection
gets
> dropped.
>
I am very much for direct connections where possible if we're
dealing
security and/or performance. Sensible decentralization is
already XMPP's advantage.
In some instances, the identity derivable from an IP address is
sufficient to identify somebody quite closely. For instance,
observing the headers of this message can give you my employer
(because I'm in the office today) and my real name. Of course, I'm
not bothered about you knowing either, and given my jid, my server
will tell you who I am anyway.
However, the cases where I see security interesting for IBB cases is
when I connect to an anonymous XMPP service and talk to a known
authority - police for example - without wishing to disclose my own
identity. In such cases, using a TLS protected stream, authenticated
only in one direction, over IBB seems like the best option. Note that
this stream is not secure from the perspective of the police,
although it is secure from the perspective of the anonymous caller -
this is because the police have not authenticated the caller.
As a momentary aside, this kind of setup cannot be achieved with
esessions, which mandate a symmetrical authentication.
> > I think we should always use IBB for E2E, as long as it's only
> > text. ICQ demonstrated back then HOW bad this is.
>
> I encourage exactly the opposite, specially in a corporate
> environment. If I make sure the chat doesn't ever leave the local
> network, I reduce the risk of snooping considerable.
>
Correct, ICQ didn't demonstrate anything of this sort. I encourage
the
opposite in all environments except maybe very special ones.
Corporate
environment should though have its own XMPP server.
Typically, yes, but it may be hosted externally to the corporate
network, for example if it's supplied by a third party as a hosted
service.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
