[OTR-users] Question-/Anwer authentication - Possible improvement
Ximin Luo
infinity0 at gmx.com
Wed Dec 11 06:38:08 EST 2013
On 11/12/13 11:30, Ximin Luo wrote:
> Whether people do OTR "authentication" (key validation is the more universal
> term) properly, is not dependent on how technical they are, but by how much
> they care about their security. I know plenty of non-techie activists who do it
> properly, because they care. Likewise, I know plenty of techies that don't do
> it, because they don't care, even though they fully understand the implications
> of not doing so.
>
> IMO the reluctance of certain techies to follow security protocols carefully,
> sets a bad example for ordinary users. Typically, they say they cannot be
> bothered to perform a minor manual task on the basis of "it should be done by
> the computer". But MITM protection will *always require* some manual step,
> otherwise it is susceptible to the attacker guessing what the automatic part
> would have been. It is a human logistics problem, not a computer science problem.
>
> Sure, tools ought to be as convenient as possible, but if you're the user and
> you don't have a more convenient tool, you ought to use it properly. If not,
> then at least explain to the user that this is bad for security. The Germans
> lost WWII because of crappy key management practises.
>
Whoops, the grammar got lost during editing. This should instead say,
"[..] but if they're the user and they [..], they ought to [..]. If not, then
at least explain to them [..]
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20131211/b77f2ff9/attachment.pgp>
More information about the OTR-users
mailing list