[17108] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Encryption plugins for gaim

daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sun Mar 20 23:22:40 2005

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Peter Saint-Andre <stpeter@jabber.org>
Cc: Adam Fields <cryptography23094893@aquick.org>,
	Ian G <iang@systemics.com>, cryptography@metzdowd.com,
	otr@cypherpunks.ca
In-Reply-To: Your message of "Tue, 15 Mar 2005 13:20:48 CST."
             <20050315192048.GA25086@jabber.org> 
Date: Sun, 20 Mar 2005 20:30:03 -0500

In message <20050315192048.GA25086@jabber.org>, Peter Saint-Andre writes:
>On Tue, Mar 15, 2005 at 02:02:31PM -0500, Adam Fields wrote:
>> On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote:
>> > Why not help us make Jabber/XMPP more secure, rather than overloading
>> > AIM? With AIM/MSN/Yahoo your account will always exist at the will of
>> 
>> Unfortunately, I already have a large network of people who use AIM,
>> and >they< all each have large networks of people who use AIM. Many of
>> them still use the AIM client. Getting them to switch to gaim is
>> feasible. Getting them to switch to Jabber is not. However, getting
>> them to switch to gaim first, and then ultimately Jabber might be an
>> option. Frankly, the former is more important to me in the short
>> term.
>
>Yep, the same old story. :-)
>
>> > AOL, whereas with XMPP you can run your own server etc. Unfortunately
>> 
>> Does "can" == "have to"? From what I remember of trying to run Jabber
>> a few years ago, it did.
>
>No, we have 200k registered users on the jabber.org server and some
>servers have even more. You can run your own server, though, and accept
>connections only from other servers you trust, etc.
>

Let me second the recommendation for jabber (though I wish the code 
quality of some of the components were better).  The protocol itself 
supports TLS for client-to-server encryption; you can also have AIM (or 
other IM) gateways on that server.  In many situations (i.e., 
wireless), it protects the most vulnerable link from eavesdropping.  
While clearly not as good as end-to-end encryption, it's far better 
than nothing, especially in high-threat environments such as the 
IETF...  (Of course, I only know of one open source client -- psi -- 
that checks the server certificate.)  In theory, server-to-server 
communications can also be TLS-protected, though I don't know if any 
platforms support that.

On top of any other encryption, many implementations support PGP 
encryption between correspondents.  I don't know of any support for 
e2e-encrypted chat rooms.

I haven't played with OTR, nor am I convinced of the threat model.  
That said, what you really need to watch out for is the transcript 
files on your own machine...

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post