From jcohen07@brandeis.edu Fri Apr 1 11:41:50 2005 From: jcohen07@brandeis.edu (jcohen07@brandeis.edu) Date: Fri, 1 Apr 2005 06:41:50 -0500 Subject: [OTR-users] Would you be interested in hosting Mandrake 10.1 rpms on your site? Message-ID: <1112355709.424d337e00212@webmail.undergrad.brandeis.edu> I compiled libotr-2.0.1 and gaim-otr-2.0.1 on my Mandrake 10.1 system and was wondering if you would host these on your site. Often users (new ones especially) shy away from software when no rpm is available. Mandrake is used by a lot of new linux users who may not feel comfortable compiling from source and no otr rpms are provided in mandrake's main or contrib depository. I assume rpms are only provided for Fedora Core 3 because the developers are using FC or Debian and don't have access to systems with other distrobutions. I already have rpms built for libotr, libotr-devel and gaim-otr and would gladly rebuild otr-proxy if you're interested in hosting the rpms. Jason From jcohen07@brandeis.edu Fri Apr 1 13:21:59 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Fri, 01 Apr 2005 08:21:59 -0500 Subject: [OTR-users] otrproxy fails to compile Message-ID: <424D4AF7.4010203@brandeis.edu> There seems to be a problem with wxGTK libs. However, I have all the appropriate rpms installed. I even tried installing wxGTK-2.5.4 from source and i still got the errors. I searched for the applicable libwx .a files and none exist. Any ideas? I have these rpms installed: libwxgtkgl2.5_1-2.5.1-5.3.101mdk wxGTK2.5-2.5.1-5.3.101mdk libwxgtk2.5_1-devel-2.5.1-5.3.101mdk libwxgtk2.5_1-2.5.1-5.3.101mdk It also seems to not see my wxGTK rpm installation even though it's installed: Installing otrproxy-0.2.0-1.src.rpm error: Failed build dependencies: wxGTK >= 2.5 is needed by otrproxy-0.2.0-1 g++ -g -O2 -o otrproxy wxotrproxy.o wxproxyevent.o wxmainframe.o wxotrdialog.o wxstatwrtext.o wxprefframe.o wxotrpolicy.o ../src/libotrproxy.a -lotr -lgcrypt -lgpg-error -pthread -L/usr/X11R6/lib /usr/lib/libwx_gtk2_html-2.5.a /usr/lib/libwx_gtk2_adv-2.5.a /usr/lib/libwx_gtk2_core-2.5.a /usr/lib/libwx_base_xml-2.5.a /usr/lib/libwx_base_net-2.5.a /usr/lib/libwx_base-2.5.a -Wl,--export-dynamic -pthread -lgtk-x11-2.0 -lgdk-x11-2.0 -latk-1.0 -lgdk_pixbuf-2.0 -lm -lpangoxft-1.0 -lpangox-1.0 -lpango-1.0 -lgobject-2.0 -lgmodule-2.0 -ldl -lgthread-2.0 -lglib-2.0 -Wl,--export-dynamic -lpangoft2-1.0 -lpango-1.0 -lgobject-2.0 -lgmodule-2.0 -ldl -lglib-2.0 -lpng -ljpeg -ltiff -lexpat -lz -ldl -lm g++: /usr/lib/libwx_gtk2_html-2.5.a: No such file or directory g++: /usr/lib/libwx_gtk2_adv-2.5.a: No such file or directory g++: /usr/lib/libwx_gtk2_core-2.5.a: No such file or directory g++: /usr/lib/libwx_base_xml-2.5.a: No such file or directory g++: /usr/lib/libwx_base_net-2.5.a: No such file or directory g++: /usr/lib/libwx_base-2.5.a: No such file or directory make[2]: *** [otrproxy] Error 1 make[2]: Leaving directory `/home/jason/otrproxy-0.2.0/ui' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/jason/otrproxy-0.2.0' make: *** [all] Error 2 [jason@jasonslaptop otrproxy-0.2.0]# rpm -qa | grep wx From ian@cypherpunks.ca Fri Apr 1 13:38:09 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 1 Apr 2005 08:38:09 -0500 Subject: [OTR-users] Would you be interested in hosting Mandrake 10.1 rpms on your site? In-Reply-To: <1112355709.424d337e00212@webmail.undergrad.brandeis.edu> References: <1112355709.424d337e00212@webmail.undergrad.brandeis.edu> Message-ID: <20050401133809.GY30200@smtp.paip.net> On Fri, Apr 01, 2005 at 06:41:50AM -0500, jcohen07@brandeis.edu wrote: > I compiled libotr-2.0.1 and gaim-otr-2.0.1 on my Mandrake 10.1 system and was > wondering if you would host these on your site. Often users (new ones > especially) shy away from software when no rpm is available. Mandrake is used > by a lot of new linux users who may not feel comfortable compiling from > source and no otr rpms are provided in mandrake's main or contrib depository. > I assume rpms are only provided for Fedora Core 3 because the developers are > using FC or Debian and don't have access to systems with other distrobutions. > > I already have rpms built for libotr, libotr-devel and gaim-otr and would > gladly rebuild otr-proxy if you're interested in hosting the rpms. That'd be fine; let me know where to download them from, and we'll put them up. Are you volunteering to make Mandrake rpms every time there's a release, or just this time? [What's the difference between a Mandrake RPM and a Fedora RPM? I don't use either system.] Thanks, - Ian From ian@cypherpunks.ca Fri Apr 1 13:40:27 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 1 Apr 2005 08:40:27 -0500 Subject: [OTR-users] otrproxy fails to compile In-Reply-To: <424D4AF7.4010203@brandeis.edu> References: <424D4AF7.4010203@brandeis.edu> Message-ID: <20050401134027.GZ30200@smtp.paip.net> On Fri, Apr 01, 2005 at 08:21:59AM -0500, Jason Cohen wrote: > There seems to be a problem with wxGTK libs. However, I have all the > appropriate rpms installed. I even tried installing wxGTK-2.5.4 from > source and i still got the errors. I searched for the applicable libwx > .a files and none exist. Any ideas? > > I have these rpms installed: > > libwxgtkgl2.5_1-2.5.1-5.3.101mdk > wxGTK2.5-2.5.1-5.3.101mdk > libwxgtk2.5_1-devel-2.5.1-5.3.101mdk > libwxgtk2.5_1-2.5.1-5.3.101mdk Use one of the query options to rpm to figure out where libwxgtk2.5_1-devel-2.5.1-5.3.101mdk puts the .a files? - Ian From ian@cypherpunks.ca Fri Apr 1 13:51:55 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 1 Apr 2005 08:51:55 -0500 Subject: [OTR-users] Is there any way to prevent the "You attempted to send an unencrypted message" dialog? In-Reply-To: <424C6BE4.90403@brandeis.edu> References: <424C6BE4.90403@brandeis.edu> Message-ID: <20050401135155.GA30200@smtp.paip.net> On Thu, Mar 31, 2005 at 04:30:12PM -0500, Jason Cohen wrote: > (user sends message) > Setup Key Exchange > If ok, send message encrypted > If fail, tell user that the message was not sent + recipient does not > have OTR installed and can't setup private communications. But this is the problem: how do you tell when "fail" happens. If the other guy's not running OTR, nothing will ever come back. If he *is* running OTR, but doesn't yet have your fingerprint, you'll only get something back after the other guy has accepted your fingerprint. This can be an arbitrary amount of time, so a simple timeout won't really work. - Ian From jcohen07@brandeis.edu Fri Apr 1 14:06:32 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Fri, 01 Apr 2005 09:06:32 -0500 Subject: [OTR-users] Mandrake 10.1 rpms Message-ID: <424D5568.1050909@brandeis.edu> I'm offering to build Mandrake 10.1 RPMS each time a new release is made. Would you mind if I just emailed you the rpms? They take up under 250 KB so size isn't an issue. The only difference between Fedora Core rpms and Mandrake rpms is that one is compiled for FC3 and the other for Mandrake 10.1. RPMs are just packaged binaries which can be used with a package management system such as urpmi to download dependencies. rpms also can run scripts on install to auto-configure software, where source installs tend not to. From jcohen07@brandeis.edu Fri Apr 1 14:21:04 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Fri, 01 Apr 2005 09:21:04 -0500 Subject: [OTR-users] Is there any way to prevent the "You attempted to send an unencrypted message" dialog? In-Reply-To: <20050401135155.GA30200@smtp.paip.net> References: <424C6BE4.90403@brandeis.edu> <20050401135155.GA30200@smtp.paip.net> Message-ID: <424D58D0.9070902@brandeis.edu> Ian Goldberg wrote: >On Thu, Mar 31, 2005 at 04:30:12PM -0500, Jason Cohen wrote: > > >>(user sends message) >>Setup Key Exchange >>If ok, send message encrypted >>If fail, tell user that the message was not sent + recipient does not >>have OTR installed and can't setup private communications. >> >> > >But this is the problem: how do you tell when "fail" happens. If the >other guy's not running OTR, nothing will ever come back. If he *is* >running OTR, but doesn't yet have your fingerprint, you'll only get >something back after the other guy has accepted your fingerprint. This >can be an arbitrary amount of time, so a simple timeout won't really >work. > > - Ian >_______________________________________________ >OTR-users mailing list >OTR-users@lists.cypherpunks.ca >http://lists.cypherpunks.ca/mailman/listinfo/otr-users > > How is the situation here different from any other time you attempt to setup an OTR private connection? The only difference it seems to me is that normally the session is created and then the user attempts to send a message encrypted. In this case, if the connection can't be made, the message isn't sent. However, if the encrypted session can't be setup, wouldn't it be obvious that the encrypted message couldn't be sent? (assuming a person knew the policy they manually set). The warning message only informs the user that unencrypted messages can't be sent under the policy- something the user would presumably already know. It wouldn't tell the user that the message couldn't be sent. Jason From jcohen07@brandeis.edu Fri Apr 1 14:23:51 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Fri, 01 Apr 2005 09:23:51 -0500 Subject: [OTR-users] otrproxy won't compile Message-ID: <424D5977.4000900@brandeis.edu> Shockingly, I can't find ANY libwx .a files anywhere on my system. From ian@cypherpunks.ca Fri Apr 1 14:34:18 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 1 Apr 2005 09:34:18 -0500 Subject: [OTR-users] Is there any way to prevent the "You attempted to send an unencrypted message" dialog? In-Reply-To: <424D58D0.9070902@brandeis.edu> References: <424C6BE4.90403@brandeis.edu> <20050401135155.GA30200@smtp.paip.net> <424D58D0.9070902@brandeis.edu> Message-ID: <20050401143418.GB30200@smtp.paip.net> On Fri, Apr 01, 2005 at 09:21:04AM -0500, Jason Cohen wrote: > >But this is the problem: how do you tell when "fail" happens. If the > >other guy's not running OTR, nothing will ever come back. If he *is* > >running OTR, but doesn't yet have your fingerprint, you'll only get > >something back after the other guy has accepted your fingerprint. This > >can be an arbitrary amount of time, so a simple timeout won't really > >work. > > How is the situation here different from any other time you attempt to > setup an OTR private connection? The only difference it seems to me is > that normally the session is created and then the user attempts to send > a message encrypted. In this case, if the connection can't be made, the > message isn't sent. However, if the encrypted session can't be setup, > wouldn't it be obvious that the encrypted message couldn't be sent? But what does "can't be set up" mean? How should gaim know that the other guy (a) doesn't have OTR installed, (b) does, but has the policy for you set to NEVER, (c) does, but hasn't accepted your fingerprint yet, etc.? - Ian From ian@cypherpunks.ca Fri Apr 1 14:38:19 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Fri, 1 Apr 2005 09:38:19 -0500 Subject: [OTR-users] Mandrake 10.1 rpms In-Reply-To: <424D5568.1050909@brandeis.edu> References: <424D5568.1050909@brandeis.edu> Message-ID: <20050401143819.GC30200@smtp.paip.net> On Fri, Apr 01, 2005 at 09:06:32AM -0500, Jason Cohen wrote: > I'm offering to build Mandrake 10.1 RPMS each time a new release is > made. Would you mind if I just emailed you the rpms? They take up under > 250 KB so size isn't an issue. The SRPMS are identical to Paul's FC3 ones? You didn't need to modify them at all? Sure, email them. > The only difference between Fedora Core > rpms and Mandrake rpms is that one is compiled for FC3 and the other for > Mandrake 10.1. So the binaries end up linked to different library versions? [i.e. what happens if you just try to install the FC3 rpms on a Mandrake system?] - Ian From jcohen07@brandeis.edu Fri Apr 1 17:45:31 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Fri, 01 Apr 2005 12:45:31 -0500 Subject: [OTR-users] Mandrake 10.1 RPMS Message-ID: <424D88BB.6030009@brandeis.edu> Ian, Thanks for uploading the Mandrake 10.1 rpms. I'll inform ##Mandrake on Freenode. Jason From jcohen07@brandeis.edu Sat Apr 2 07:07:46 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Sat, 02 Apr 2005 02:07:46 -0500 Subject: [OTR-users] PGP signatures non-existent + no public key/fingerprint posted on the main webpage Message-ID: <424E44C2.3050609@brandeis.edu> The PGP signatures for libotr source and gaim-otr source do not exist. Clicking the link brings up a blank page. PGP signatures do exist for the Win32 binaries (gaim-otr & otrproxy). However, the main web page does not post the fingerprint used or give a download link for the public key. Without a fingerprint to verify, having a signature is useless. Jason From ian@cypherpunks.ca Sat Apr 2 17:19:33 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Sat, 2 Apr 2005 12:19:33 -0500 Subject: [OTR-users] PGP signatures non-existent + no public key/fingerprint posted on the main webpage In-Reply-To: <424E44C2.3050609@brandeis.edu> References: <424E44C2.3050609@brandeis.edu> Message-ID: <20050402171933.GG30200@smtp.paip.net> On Sat, Apr 02, 2005 at 02:07:46AM -0500, Jason Cohen wrote: > The PGP signatures for libotr source and gaim-otr source do not exist. > Clicking the link brings up a blank page. Thanks. Apache was for some reason claiming the tar.gz.asc file was itself gzip'd. [wget didn't complain about this.] Fixed. > PGP signatures do exist for > the Win32 binaries (gaim-otr & otrproxy). However, the main web page > does not post the fingerprint used or give a download link for the > public key. Without a fingerprint to verify, having a signature is useless. Paul's public key is on the keyservers; you can get it from there. For example: http://pgp.mit.edu:11371/pks/lookup?search=paul+wouters&op=vindex&fingerprint=on Posting a PGP fingerprint on the OTR page isn't so useful, since that fingerprint would be no more trusted than the software itself. Use the PGP WoT to trust Paul's key. - Ian From jcohen07@brandeis.edu Sun Apr 3 11:29:25 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Sun, 03 Apr 2005 06:29:25 -0400 Subject: [OTR-users] File Transfers over OTR Message-ID: <424FC585.8030204@brandeis.edu> Are file transfers over OTR encrypted? Jason From ian@cypherpunks.ca Sun Apr 3 16:56:48 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Sun, 3 Apr 2005 11:56:48 -0400 Subject: [OTR-users] File Transfers over OTR In-Reply-To: <424FC585.8030204@brandeis.edu> References: <424FC585.8030204@brandeis.edu> Message-ID: <20050403155648.GH30200@smtp.paip.net> On Sun, Apr 03, 2005 at 06:29:25AM -0400, Jason Cohen wrote: > Are file transfers over OTR encrypted? File transfers don't go over OTR, so no. - Ian From jcohen07@brandeis.edu Mon Apr 4 02:49:26 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Sun, 03 Apr 2005 21:49:26 -0400 Subject: [OTR-users] SILC + OTR & Deniability? Message-ID: <42509D26.3050008@brandeis.edu> SILC provides encryption/authentication in user & channel chats, as well as encrypted file transfers. I would like to use OTR with SILC as SILC's private key exchange for user chats requires a direct peer to peer connection and therefore doesn't work when both users are behind a NAT firewall, and I was wondering if this would still retain the deniability aspect of OTR. I made sure to turn off digital signing of of SILC IMs. The session key is generated using Diffie Hellman Key Exchange and is signed with the sender's public key. However, the messages themselves are not signed but a MAC is used to provide integrity. Jason From paul@cypherpunks.ca Mon Apr 4 13:53:03 2005 From: paul@cypherpunks.ca (Paul Wouters) Date: Mon, 4 Apr 2005 14:53:03 +0200 (CEST) Subject: [OTR-users] PGP signatures non-existent + no public key/fingerprint posted on the main webpage In-Reply-To: <20050402171933.GG30200@smtp.paip.net> Message-ID: On Sat, 2 Apr 2005, Ian Goldberg wrote: > > PGP signatures do exist for > > the Win32 binaries (gaim-otr & otrproxy). However, the main web page > > does not post the fingerprint used or give a download link for the > > public key. Without a fingerprint to verify, having a signature is useless. > > Paul's public key is on the keyservers; you can get it from there. or finger paul@xelerance.com for an out of bound verification. Paul From tor@algae-world.com Sat Apr 9 21:35:45 2005 From: tor@algae-world.com (tor) Date: Sat, 09 Apr 2005 13:35:45 -0700 Subject: [OTR-users] A clueless question :) about ichat-av and otr-proxy Message-ID: <42583CA1.3050509@algae-world.com> Hi All, Am I to understand that when ichat a/v is proxied via http to 127.0.0.1:8080 and otrproxy is running on both ends that the AV content is proxied over the otrproxy(i.e. encrypted) and thus can be used without eavesdropping or does OTR only protect the textual IM only? interested readers wish to know a new and clueless ichat A/V and OTRproxy user under OSX From paul@cypherpunks.ca Sat Apr 9 22:38:14 2005 From: paul@cypherpunks.ca (Paul Wouters) Date: Sat, 9 Apr 2005 23:38:14 +0200 (CEST) Subject: [OTR-users] A clueless question :) about ichat-av and otr-proxy In-Reply-To: <42583CA1.3050509@algae-world.com> Message-ID: On Sat, 9 Apr 2005, tor wrote: > Hi All, > Am I to understand that when ichat a/v is proxied via http > to 127.0.0.1:8080 and otrproxy is running on both ends > that the AV content is proxied over the otrproxy(i.e. encrypted) and > thus can be used without eavesdropping or does > OTR only protect the textual IM only? > > interested readers wish to know > a new and clueless ichat A/V and OTRproxy user under OSX No, out of bound connections (send file, and I assume Audio and Video too) are not encrypted. I don't think OTR could possible work for audio/video, as the DH key exchange is not *that* cheap, you'd need quite some random and cpu for that. You should probably think about setting up an IPsec or other type of VPN tunnel between you and the other party with the A/V. Paul From jcohen07@brandeis.edu Sat Apr 9 23:15:41 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Sat, 09 Apr 2005 18:15:41 -0400 Subject: [OTR-users] options for encrypted file transfers Message-ID: <4258540D.7000400@brandeis.edu> If you want to encrypt file transfers you have a few options. a) Use a silc client and initiate a direct key exchange. As long as one user isn't behind a NAT this will allow you to initiate an encrypted peer to peer connection using DH exchange and all file transfers will be encrypted. You can use gaim & gaim-silc or silky or silcclient. b) use a VPN. I would suggest openvpn.net. It's extremely easy to setup especially if you use preshared keys rather than (more secure) private key + certificate authentication. This will create a virtual tunnel between your machines, and all traffic will be encrypted & authenticated. Diffie Hellman is used to create the encrypted session and you use a private key & public certificate (which has been signed by the VPN server's Certificate Authority) to authenticate. c) This is probably the most common. Use OpenPGP and encrypt the body of the email + the attachments with PGP/MIME prefferably or PGP/Inline if you must. Your friend will need to send you his public PGP key. From jcohen07@brandeis.edu Sat Apr 9 23:20:20 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Sat, 09 Apr 2005 18:20:20 -0400 Subject: [OTR-users] encrypted file transfers Message-ID: <42585524.4080002@brandeis.edu> I forgot SSH. If you or your friend has Linux, an OpenSSH server can easily be installed. Then you can use any SFTP/SCP client to transfer files from your local machine to the remote server or from the remote server to your local machine. You can browse the server's directories just like you can with FTP. From jcohen07@brandeis.edu Sat Apr 9 23:30:05 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Sat, 09 Apr 2005 18:30:05 -0400 Subject: [OTR-users] Encrypted File Transfers Message-ID: <4258576D.7070904@brandeis.edu> No, out of bound connections (send file, and I assume Audio and Video too) are not encrypted. I don't think OTR could possible work for audio/video, as the DH key exchange is not *that* cheap, you'd need quite some random and cpu for that. You should probably think about setting up an IPsec or other type of VPN tunnel between you and the other party with the A/V. Paul Why can't OTR use DH exchange for file transfers? SILC does so and it seems to work fine. Rather than rekeying every message, you would just rekey after a specific amount of time or amount of packets/bytes. SILC keys once per session and only rekeys after 3600 seconds or a specific # of bytes (not sure of the exact number). From tor@algae-world.com Sun Apr 10 04:13:34 2005 From: tor@algae-world.com (tor) Date: Sat, 09 Apr 2005 20:13:34 -0700 Subject: [OTR-users] A clueless question :) about ichat-av and otr-proxy In-Reply-To: References: Message-ID: <425899DE.2030902@algae-world.com> thanx for answering my question paul, I will probably employ the latest OpenVPN-cvs running over a socks5 proxy forwarding into ssh via connect.c/tor in that case to connect up the iChat A/V portions. Its very good to know where one is NOT protected by efforts such as OTR. thanx again a tor user Paul Wouters wrote: >On Sat, 9 Apr 2005, tor wrote: > > > >>Hi All, >> Am I to understand that when ichat a/v is proxied via http >>to 127.0.0.1:8080 and otrproxy is running on both ends >>that the AV content is proxied over the otrproxy(i.e. encrypted) and >>thus can be used without eavesdropping or does >>OTR only protect the textual IM only? >> >> interested readers wish to know >> a new and clueless ichat A/V and OTRproxy user under OSX >> >> > >No, out of bound connections (send file, and I assume Audio and Video too) >are not encrypted. I don't think OTR could possible work for audio/video, >as the DH key exchange is not *that* cheap, you'd need quite some random >and cpu for that. >You should probably think about setting up an IPsec or other type of VPN >tunnel between you and the other party with the A/V. > >Paul > >_______________________________________________ >OTR-users mailing list >OTR-users@lists.cypherpunks.ca >http://lists.cypherpunks.ca/mailman/listinfo/otr-users > > From jcohen07@brandeis.edu Sun Apr 10 04:59:19 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Sat, 09 Apr 2005 23:59:19 -0400 Subject: [OTR-users] Re: encrypted file transfers Message-ID: <4258A497.6030000@brandeis.edu> thanx for answering my question paul, I will probably employ the latest OpenVPN-cvs running over a socks5 proxy forwarding into ssh via connect.c/tor in that case to connect up the iChat A/V portions. Its very good to know where one is NOT protected by efforts such as OTR. thanx again a tor user Make use of the documentation & howtos on openvpn.net, particularly http://openvpn.net/howto.html which has a good howto for installing & using Openvpn 2.0 in a server/client setup. It's quite easy to follow and there are instructions for more advanced topics like using the VPN server to reroute all traffic. The easy-rsa scripts now make it trivial to create a CA server and create user keys & certificates. Jason From paul@xelerance.com Sun Apr 10 19:38:19 2005 From: paul@xelerance.com (Paul Wouters) Date: Sun, 10 Apr 2005 20:38:19 +0200 (CEST) Subject: [OTR-users] A clueless question :) about ichat-av and otr-proxy In-Reply-To: <425899DE.2030902@algae-world.com> Message-ID: On Sat, 9 Apr 2005, tor wrote: > thanx for answering my question paul, I will probably employ the latest > OpenVPN-cvs running over a socks5 proxy forwarding into ssh via > connect.c/tor in that case to connect up the iChat A/V portions. Its > very good to know where one is NOT protected by efforts such as OTR. I have no idea why you would want to use tor+ssh+openvpn all at once. It will just burn up too much cpu and ruin any audio/video feed. Paul From geiri bolla Sat Apr 23 16:39:53 2005 From: geiri bolla (geiri bolla) Date: Sat, 23 Apr 2005 15:39:53 +0000 Subject: [OTR-users] OTR & SIMP Message-ID: <6bd1e7ae05042308392baf6915@mail.gmail.com> howdy! I was wondering what the difference between SIMP ( http://www.secway.fr/products/simplite_msn/home.php?PARAM=us,text ) and OTR is? Thanks in advance, geiri From dcarrera@math.umd.edu Sat Apr 23 17:36:22 2005 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sat, 23 Apr 2005 12:36:22 -0400 Subject: [OTR-users] OTR & SIMP In-Reply-To: <6bd1e7ae05042308392baf6915@mail.gmail.com> References: <6bd1e7ae05042308392baf6915@mail.gmail.com> Message-ID: <426A7986.4090700@math.umd.edu> First, OTR is open source and SIMP isn't. For security products, the ability to verify the source code is invaluable. Security through obscurity is no security at all. Judging from their "specifications" page, this looks like an old-fashioned security system. That is, using RSA to exchange symmetric keys, and then using the same session session key for the entire discussion. This system does not provide the repudiability and perfect forward security of OTR. Specifically: * Repudiability: With previous systems, if someone managed to read the communication (e.g. by stealing the private key) not only would they know what you said, but they would have mathematical /proof/ that you said it. This can hardly be considered "private". The principle of anonimity is central to privacy. * Perfect forward security: Suppose that an attacker collects the encrypted transmissions, over time, in the hope of one day being able to obtain your private key. 20 years from now they get it (either through a breakthrough in mathematics, or faster computers, or by stealing your computer). They will be able to read every transmission you sent ove those 20 years. In contrast, with OTR, there is a short window (a few seconds) over which a transmission can be decrypted (and the key can only be obtained from the computer's RAM memmory). After that, the key is shreded from RAM and a new one is created. If someone obtains your key 20 years from now, they will not be able to read /anything/ that you sent over those 20 years. The information is gone. Period. Traditional encryption is like sealing a letter in a safe. OTR is like that, but also writing the letter on self-destruct paper. Cheers, Daniel. geiri bolla wrote: >howdy! > >I was wondering what the difference between SIMP ( >http://www.secway.fr/products/simplite_msn/home.php?PARAM=us,text ) >and OTR is? > >Thanks in advance, >geiri > >_______________________________________________ >OTR-users mailing list >OTR-users@lists.cypherpunks.ca >http://lists.cypherpunks.ca/mailman/listinfo/otr-users > > From jcohen07@brandeis.edu Sun Apr 24 22:00:52 2005 From: jcohen07@brandeis.edu (Jason Cohen) Date: Sun, 24 Apr 2005 17:00:52 -0400 Subject: [OTR-users] OTR website not accessible Message-ID: <426C0904.20301@brandeis.edu> The OTR website (www.cypherpunks.ca/otr/) hasn't been accessible for several days? Is it down? From ian@cypherpunks.ca Sun Apr 24 22:26:41 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Sun, 24 Apr 2005 17:26:41 -0400 Subject: [OTR-users] OTR website not accessible In-Reply-To: <426C0904.20301@brandeis.edu> References: <426C0904.20301@brandeis.edu> Message-ID: <20050424212641.GN1071@smtp.paip.net> On Sun, Apr 24, 2005 at 05:00:52PM -0400, Jason Cohen wrote: > The OTR website (www.cypherpunks.ca/otr/) hasn't been accessible for > several days? Is it down? No, it's up (in fact, it's on the same machine as this mail server), but it's changed IP addresses. Your DNS provider may be one of those (annoying) ones that ignores DNS TTL times; the current IP address for www.cypherpunks.ca is 205.150.102.100 (though that will almost certainly change again in the next week or so). - Ian