[Psi-Devel] Off-the-Record messaging for Psi
Timo Engel
timo-e at freenet.de
Mon Oct 8 05:00:58 PDT 2007
On 08-Oct-2007 Kevin Smith wrote:
[...]
> Sadly, using OTR in this way doesn't add very much security: if c2s
> and s2s streams are encrypted anyway the only thing that end to end
> encryption, like OTR, provides is protection against a malicious or
> compromised server. OTR doesn't provide protection against this
> (indeed, there's even an ejabberd module to automatically log
> decrypted OTR messages) because there is no out-of-band verification.
> If security isn't important, you could send it plain-text, and if it
> is important OTR won't provide it, sadly.
OTR uses authentication with DSA keys. You can be sure there is no
man-in-the-middle attack. Of course, you have to verify the fingerprints of
the public keys. With other encryption protocols it's the same problem.
timo.
More information about the Psi-Devel
mailing list