[OTR-dev] OTR, keyservers, MITM, etc.

Donny Viszneki donny.viszneki at gmail.com
Tue Aug 18 11:01:25 EDT 2009


On Tue, Aug 18, 2009 at 7:34 AM, Gregory Maxwell<gmaxwell at gmail.com> wrote:
> On Tue, Aug 18, 2009 at 6:35 AM, <chris-tuchs at hushmail.com> wrote:
>> The basic plan is to use multiple servers as a secondary channel
>> to detect MITM attacks.  The kernel of the protocol is just
>> "Alice and Bob post the fingerprints of both their DSA keys to
>> public servers, check that the fingerprints match, and that
>> there are no conflicting claims."
>
> An attacker unable to perform actual MTIMs against OTR can trigger
> MTIM warnings, causing users to use different transports.

There would be no "MITM warnings." Without a conflicting claim about
OTR keys, there can be no MITM, unless he already has your keys.

-- 
http://codebad.com/



More information about the OTR-dev mailing list