[OTR-dev] mod_otr: man in the middle implementation for ejabberd
Ian Goldberg
ian at cypherpunks.ca
Sat Mar 31 19:04:24 EDT 2007
On Fri, Mar 30, 2007 at 03:28:49PM +0200, Olivier Goffart wrote:
> Hello,
>
> I have developed a module for ejabberd (A widely used Jabber server) that do
> the man in the middle attack on OTR messages.
Cool! I remember a long time ago people were talking about doing this
for Trillian's SecureIM (which has no way at all to authenticate users),
but I think (at least at the time) Trillian's SecureIM only worked on
AIM, not Jabber.
> I made this module to show that it is not possible to make e2e encryption user
> friendly. (for those who want an easy-to-use enabled-by-default e2e
> encryption)
> Lamda user (who doesn't really care about security) will not check
> fingerprint.
But also remember that even if OTR is turned on by default, and Lambda
user doesn't know anything about checking fingerprints, he's no worse
off than if OTR weren't there to begin with, and is better off against
at least some kinds of attackers.
> So now, check your fingerprints :-)
Yes, please do. :-)
- Ian
More information about the OTR-dev
mailing list