[17108] in cryptography@c2.net mail archive
Re: Encryption plugins for gaim
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sun Mar 20 23:22:40 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Peter Saint-Andre <stpeter@jabber.org>
Cc: Adam Fields <cryptography23094893@aquick.org>,
Ian G <iang@systemics.com>, cryptography@metzdowd.com,
otr@cypherpunks.ca
In-Reply-To: Your message of "Tue, 15 Mar 2005 13:20:48 CST."
<20050315192048.GA25086@jabber.org>
Date: Sun, 20 Mar 2005 20:30:03 -0500
In message <20050315192048.GA25086@jabber.org>, Peter Saint-Andre writes:
>On Tue, Mar 15, 2005 at 02:02:31PM -0500, Adam Fields wrote:
>> On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote:
>> > Why not help us make Jabber/XMPP more secure, rather than overloading
>> > AIM? With AIM/MSN/Yahoo your account will always exist at the will of
>>
>> Unfortunately, I already have a large network of people who use AIM,
>> and >they< all each have large networks of people who use AIM. Many of
>> them still use the AIM client. Getting them to switch to gaim is
>> feasible. Getting them to switch to Jabber is not. However, getting
>> them to switch to gaim first, and then ultimately Jabber might be an
>> option. Frankly, the former is more important to me in the short
>> term.
>
>Yep, the same old story. :-)
>
>> > AOL, whereas with XMPP you can run your own server etc. Unfortunately
>>
>> Does "can" == "have to"? From what I remember of trying to run Jabber
>> a few years ago, it did.
>
>No, we have 200k registered users on the jabber.org server and some
>servers have even more. You can run your own server, though, and accept
>connections only from other servers you trust, etc.
>
Let me second the recommendation for jabber (though I wish the code
quality of some of the components were better). The protocol itself
supports TLS for client-to-server encryption; you can also have AIM (or
other IM) gateways on that server. In many situations (i.e.,
wireless), it protects the most vulnerable link from eavesdropping.
While clearly not as good as end-to-end encryption, it's far better
than nothing, especially in high-threat environments such as the
IETF... (Of course, I only know of one open source client -- psi --
that checks the server certificate.) In theory, server-to-server
communications can also be TLS-protected, though I don't know if any
platforms support that.
On top of any other encryption, many implementations support PGP
encryption between correspondents. I don't know of any support for
e2e-encrypted chat rooms.
I haven't played with OTR, nor am I convinced of the threat model.
That said, what you really need to watch out for is the transcript
files on your own machine...
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
