Another entry in the internet security hall of shame....

Enzo Michelangeli enzomich at gmail.com
Fri Aug 26 11:23:55 EDT 2005


----- Original Message ----- 
From: "Perry E. Metzger" <perry at piermont.com>
To: "Adam Back" <adam at cypherspace.org>
Cc: "Peter Saint-Andre" <stpeter at jabber.org>; <cryptography at metzdowd.com>
Sent: Friday, August 26, 2005 8:55 PM
Subject: Re: Another entry in the internet security hall of shame....

[...]
> Remember that Jabber and similar protocols also trust servers to some
> extent. Servers store and distribute valuable information like
> presence data -- it is architecturally hard to do otherwise.

Well, not really: the buddies on the list can be located through a
Distributed Hash Table such as Kademlia, and, once their IP addresses are
known, their presence can be checked by ping/pong exchange of UDP packets
every few seconds. The biggest problem is represented by NATs, but there
are techniques that can alleviate it (hole punching or, in stubborn cases,
relaying through non-NATted nodes).

> I agree that you *also* want end to end, such as pgp over Jabber
> provides. I really wish Gaim supported the pgp over Jabber stuff the
> way PSI does...

Why not get OTR then? http://www.cypherpunks.ca/otr/

Enzo


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list