funsec mailing list archives
secure IM and paul's jabber challenges
From: Paul Vixie <paul () vix com>
Date: Thu, 10 Nov 2005 02:40:15 +0000
# Is there anything wrong with http://GAIM-Encryption.sourceforge.net ? that depends on what you want to use it for. from that web page: Automatically recognizes if you are chatting with someone who has the plugin- see the Preferences dialog. so, this will allow end to end encryption amongst cooperating GAIM users. it will not help you if the other end doesn't have the same plugin, or is running something like iChat. PSI (a jabber client) has something similar for end-to-end PGP encryption, but there's no RFC on this behaviour and no other client interoperates with it so i find it useless. (it also doesn't work well on my suse10/amd64 box, but that's a separate issue.) the reason i prefer jabber is: 1. i can run my own server, or connect only to servers whose admins i trust; 2. i can TLS or SSL encrypt my session to the trusted server shown in #1; 3. the server operator can disable non-TLS non-SSL sessions if they wish; 4. it's all covered by RFCs, so only old/broken clients won't interoperate. the malaise i see among my fellow power-users in recent years goes by the name "i just don't want to think about that stuff any more" as if somehow we can all trust apple's (usually) or indeed anyone's judgement other than our own as to _structural_ and _architectural_ security matters. i'll continue to roll my own until the honourable senators from verisign and microsoft find a way to make rolling my own illegal. even though it's a hard life when you can't just drag and drop commercial apps to your desktop and run them. fortunately, KDE and openoffice have come a long way recently... # > http://www.cypherpunks.ca/otr/ OTR is really cool stuff, for the couple hundred people who will ever run it, or at least, who will run it before there's an RFC published about it. i wish i had the cycles to burn on this, i'd write the RFC myself just to get OTR to eventually be available to more endpoints. (but meanwhile, there's jabber.) # > > If both participants have the latest version of ... ...of any given thing like PGP Desktop, OTR, GAIM-Encryption, PSI-with-PGP, or anything else that's designed to solve this problem, then the problem will be solved for that pair of endpoints. i'm not interested in pairs of endpoints. i'm interested in secure systems, and that means internet standards. (so fortunately, there's jabber.) # > >> Trillian SecureIM? from the OTR web page ref'd above: How is [OTR] different from Trillian's SecureIM? SecureIM doesn't provide any kind of authentication at all! You really have no idea (in any kind of secure way) to whom you're speaking, or if there is a "man in the middle" reading all of your messages. so, to quote myself after the rest of you provided all that context to make me a little more understandable: # > >> i won't use any I-M system except jabber. the idea of sending my text # > >> through somebody else's server, especially yahoo/microsoft/google/aol # > >> who will do adword searches and data mining / list appending, makes me # > >> want to lunge for the circuit breaker. yet millions of people do this, # > >> even the mostly-otherwise-smart ones who attend ietf/nanog/arin # > >> meetings and bring their mac/os/x laptops and think nothing of talking # > >> about customer proprietary information via their iChat clients. ick, # > >> ick, ick. here's my challenge to all of you. 1. get a jabber client, create a JID, log in and play around. you can invite me to subscribe to your presence, and try to subscribe to mine. my JID vixie () jabber tisf net and i own/operate that server so i trust it pretty well and if you trust my intentions and/or competence then you could decide to trust it, too. it's open-registration, so if you don't have a jabber server of your own and you don't want to use the great big unreliable jabber.org server in the sky, feel free to create a JID on this server (jabber.tisf.net). if you don't know what jabber client you'll like, then you'll probably prefer iChat (as of mac/os 10.4) or AdiumX (any mac/os 10) or Adium (mac/os 9) or pandion (any windows). if you do know what jabber client you like, then you are no doubt already using psi or tkabber. if you want to run your own jabber server (it's easy! it's fun! everybody's doing it! you should too!), i've pretty much settled on ejabberd, which comes in /usr/ports on freebsd systems. note that the port is marked "only runs on i386" but it in fact runs fine on amd64 as of freebsd 5.4. there are also RPM's for most linux distros. 2. join the funsec () conference jabber tisf net MUC (multi-user-chat). in keeping with gadi's open enrollment policy for the funsec@ mailing list, the MUC is persistent, open, and publically visible. i will try to remain logged in, and others here should try to do likewise. --- perhaps, just maybe, possibly, if we're diligent, we can show the commercial interests that the internet poweruser community is capable of building and operating and using its own infrastructure. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Trillian SecureIM [Was: Re: Ancheta denied bail/bond ] Fergie (Nov 09)
- Re: Trillian SecureIM [Was: Re: Ancheta denied bail/bond ] David LaPorte (Nov 09)
- Re: Trillian SecureIM [Was: Re: Ancheta denied bail/bond ] Roland Dobbins (Nov 09)
- Re: Trillian SecureIM [Was: Re: Ancheta denied bail/bond ] Dude VanWinkle (Nov 09)
- secure IM and paul's jabber challenges Paul Vixie (Nov 09)
- Re: Trillian SecureIM [Was: Re: Ancheta denied bail/bond ] James Eaton-Lee (Nov 10)
- Re: Trillian SecureIM [Was: Re: Ancheta denied bail/bond ] Roland Dobbins (Nov 09)
- Re: Trillian SecureIM [Was: Re: Ancheta denied bail/bond ] David LaPorte (Nov 09)