[OTR-users] Authentication question
Ian Goldberg
ian at cypherpunks.ca
Wed Mar 28 18:26:52 EDT 2007
On Wed, Mar 28, 2007 at 09:54:36PM +0200, Franz Bayer wrote:
> hi,
>
> is there a way to make sure that the one im chatting with is really
> the person i want to talk to? how to find out if someone other than
> him is sitting at his pc?
>
> with pgp or gnupg i can be sure cause only he can enter the right
> private key password. is there a password or something like this in
> otr too?
>
> also i have seen that the private key is stored in /home/me/.gaim just
> in clear text format. is this a security risk? how often is it changed
> (in case of trojan e.g.) ?
Right now, it's assumed that your computer is secure from things like
trojans. If it's not, you're hosed no matter what you do. Changing or
encrypting keys can't protect you.
Optionally encrypting the otr files is something we're thinking about,
but it has to be optional, and off by default.
Without serious client-side support like proximity sensors and RFID
tags, you're unlikely to be able to tell when the "real" user wanders
away from his machine, and someone else wanders up to it, of course. ;-)
- Ian
More information about the OTR-users
mailing list