[OTR-users] otr support in gajim?
Ananda Samaddar
ananda.samaddar at vfemail.net
Tue Nov 18 20:10:55 EST 2008
Jonathan Schleifer wrote:
> Ian Goldberg <ian at cypherpunks.ca> wrote:
>
>> SAS can't be checked in-band; a MITM could just substitute the in-band
>> values.
>
> Oh, sorry, I understood in-band as in in-client, not as in inside the
> conversation. That - of course - does not work, as it would compromise
> security.
>
>> Not quite; OTR allows a prearranged shared secret (of your choice) to
>> be used to authenticate your buddy. With SAS, you have to first
>> generate your keys, then exchange the 5-character short random
>> strings.
>
> With ESessions, you don't even need keys :) You just use a shared
> secret and no keys (you can use keys, but the simplified ESessions XEP
> doesn't require them).
>
>> Hmm? There have been formal analyses of the security of the OTR
>> protocol. Is there something in particular you'd like to see that's
>> missing?
>
> I don't want to see anything, it are developers of other clients who
> first want to see a real cryptanalysis on the protocol like it has been
> done for TLS and this is why soon TLS will be used for client to client
> encryption in XMPP :(.
>
>
The fact of the matter is that OTR is already implemented in Pidgin,
Kopete and Adium. Three of the most popular FLOSS instant messaging
clients and is protocol agnostic. This alone means that it's becoming a
de facto standard for IM encryption and reason enough for Gajim to
support it.
Ananda
More information about the OTR-users
mailing list