On 10/8/15, [email protected] <[email protected]> wrote: > .... > One of the major problems is the design of Pidign, which tries > to build a convenient IM client before it takes security into > consideration
"security vs. usability", as ever... > Still, it is possible to a achieve a high degree of privacy. > The amount of "security" will vary and depend on many factors. > > A vm is none of them: > Confining it, doesn't make it more secure, and it mitigates nothing in > pidgin or libpurple. A broken IM client is still broken, even when > confined (I am tempted to say buried) in a VM. consider the Tor Browser PDF exploit that accessed $HOME for keys and other. if Tor Browser (and Pidgin) are isolated from each other, this $HOME type attack of reduced risk. one example. > If OP has to rely on an IM, like pidgin or a protocol, there is no more > or added "security" by putting it into a vm or container. > All he gains is isolation in a best case scenario. do you not see the benefit in isolating applications at risk of rogue remote execution? i agree it is not the only security measure, nor the most important. but it is useful, and that is why i mention it. more useful would be using a secure client, but, again, usability. > Honestly, let's recommend a more secure implemenation > of the protocol OP wishes to use and educate OP how to use it in > a manner, that neither privacy and anonymity of the involved parties > are compromised and the authenticity of the exchanged messages is given. i disagree with this approach. make the secure usable. don't force users to adapt to "secure". > Using Tor with Pidgin, we are at a disadvantage... > If security is a result of good design, good design is when there > is nothing left to remove and the design is still secure. so, you're going to design and implement a usable, secure chat and presence? :) > Contrary to the popular misconception, that security is some kind of > fairydust, product or duct-tape that we can apply to protocols or software > afterwarts. actually, i saw this Kickstarter the other day... ;P best regards, -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
