[18286] in cryptography@c2.net mail archive
Re: Another entry in the internet security hall of shame....
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri Aug 26 08:55:35 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Adam Back <adam@cypherspace.org>
Cc: Peter Saint-Andre <stpeter@jabber.org>, cryptography@metzdowd.com
From: "Perry E. Metzger" <perry@piermont.com>
Date: Fri, 26 Aug 2005 08:55:05 -0400
In-Reply-To: <20050826082432.GA1797@bitchcake.off.net> (Adam Back's message
of "Fri, 26 Aug 2005 04:24:32 -0400")
Eric Rescorla wrote:
>> Most chat protocols (and Jabber in particular) are server-oriented
>> protocols. So, the SSL certificate in question isn't that of your
>> buddy but rather of your Jabber server.
Adam Back <adam@cypherspace.org> writes:
> Thats broken, just like the "WAP GAP" ... for security you want
> end2end security, not a secure channel to an UTP (untrusted third
> party)!
Remember that Jabber and similar protocols also trust servers to some
extent. Servers store and distribute valuable information like
presence data -- it is architecturally hard to do otherwise. That
means that you also want to be sure you're talking to the right
server (and that the server wants to be sure it is talking to an
authenticated client).
I agree that you *also* want end to end, such as pgp over Jabber
provides. I really wish Gaim supported the pgp over Jabber stuff the
way PSI does...
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
