funsec mailing list archives

Previous By Date Next
Previous By Thread Next

secure IM and paul's jabber challenges

From: Paul Vixie <paul () vix com>
Date: Thu, 10 Nov 2005 02:40:15 +0000
# Is there anything wrong with http://GAIM-Encryption.sourceforge.net ?

that depends on what you want to use it for.  from that web page:

     Automatically recognizes if you are chatting with someone who has the
     plugin- see the Preferences dialog.

so, this will allow end to end encryption amongst cooperating GAIM users.
it will not help you if the other end doesn't have the same plugin, or is
running something like iChat.

PSI (a jabber client) has something similar for end-to-end PGP encryption,
but there's no RFC on this behaviour and no other client interoperates with
it so i find it useless.  (it also doesn't work well on my suse10/amd64 box,
but that's a separate issue.)

the reason i prefer jabber is:

1. i can run my own server, or connect only to servers whose admins i trust;
2. i can TLS or SSL encrypt my session to the trusted server shown in #1;
3. the server operator can disable non-TLS non-SSL sessions if they wish;
4. it's all covered by RFCs, so only old/broken clients won't interoperate.

the malaise i see among my fellow power-users in recent years goes by the
name "i just don't want to think about that stuff any more" as if somehow we
can all trust apple's (usually) or indeed anyone's judgement other than our
own as to _structural_ and _architectural_ security matters.

i'll continue to roll my own until the honourable senators from verisign and
microsoft find a way to make rolling my own illegal.  even though it's a hard
life when you can't just drag and drop commercial apps to your desktop and
run them.  fortunately, KDE and openoffice have come a long way recently...

# > http://www.cypherpunks.ca/otr/

OTR is really cool stuff, for the couple hundred people who will ever run it,
or at least, who will run it before there's an RFC published about it.  i wish
i had the cycles to burn on this, i'd write the RFC myself just to get OTR to
eventually be available to more endpoints.  (but meanwhile, there's jabber.)

# > > If both participants have the latest version of ...

...of any given thing like PGP Desktop, OTR, GAIM-Encryption, PSI-with-PGP,
or anything else that's designed to solve this problem, then the problem will
be solved for that pair of endpoints.

i'm not interested in pairs of endpoints.  i'm interested in secure systems,
and that means internet standards.  (so fortunately, there's jabber.)

# > >> Trillian SecureIM?

from the OTR web page ref'd above:

     How is [OTR] different from Trillian's SecureIM? 

     SecureIM doesn't provide any kind of authentication at all! You really
     have no idea (in any kind of secure way) to whom you're speaking, or if
     there is a "man in the middle" reading all of your messages.

so, to quote myself after the rest of you provided all that context to make
me a little more understandable:

# > >> i won't use any I-M system except jabber.  the idea of sending my text
# > >> through somebody else's server, especially yahoo/microsoft/google/aol
# > >> who will do adword searches and data mining / list appending, makes me
# > >> want to lunge for the circuit breaker.  yet millions of people do this,
# > >> even the mostly-otherwise-smart ones who attend ietf/nanog/arin
# > >> meetings and bring their mac/os/x laptops and think nothing of talking
# > >> about customer proprietary information via their iChat clients.  ick,
# > >> ick, ick.

here's my challenge to all of you.  

1. get a jabber client, create a JID, log in and play around.  you can invite
me to subscribe to your presence, and try to subscribe to mine.  my JID
vixie () jabber tisf net and i own/operate that server so i trust it pretty well
and if you trust my intentions and/or competence then you could decide to
trust it, too.  it's open-registration, so if you don't have a jabber server
of your own and you don't want to use the great big unreliable jabber.org
server in the sky, feel free to create a JID on this server (jabber.tisf.net).

if you don't know what jabber client you'll like, then you'll probably prefer
iChat (as of mac/os 10.4) or AdiumX (any mac/os 10) or Adium (mac/os 9) or
pandion (any windows).  if you do know what jabber client you like, then you
are no doubt already using psi or tkabber.

if you want to run your own jabber server (it's easy! it's fun! everybody's
doing it! you should too!), i've pretty much settled on ejabberd, which comes
in /usr/ports on freebsd systems.  note that the port is marked "only runs on
i386" but it in fact runs fine on amd64 as of freebsd 5.4.  there are also
RPM's for most linux distros.

2. join the funsec () conference jabber tisf net MUC (multi-user-chat).  in
keeping with gadi's open enrollment policy for the funsec@ mailing list, the
MUC is persistent, open, and publically visible.  i will try to remain logged
in, and others here should try to do likewise.

---

perhaps, just maybe, possibly, if we're diligent, we can show the commercial
interests that the internet poweruser community is capable of building and
operating and using its own infrastructure.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: