[Psi-Devel] Off-the-Record messaging for Psi
Timo Engel
timo-e at freenet.de
Mon Oct 8 06:31:22 PDT 2007
On 08-Oct-2007 Kevin Smith wrote:
> On 8 Oct 2007, at 13:00, Timo Engel wrote:
>> OTR uses authentication with DSA keys. You can be sure there is no
>> man-in-the-middle attack. Of course, you have to verify the
>> fingerprints of
>> the public keys. With other encryption protocols it's the same
>> problem.
>
> Is that exposed in this plugin? I've not noticed any client
> presenting keys for oob verification before (in fact, Psi is one of
> the relatively few clients that does SSL cert checking).
The OTR-Plugins for Psi and Gaim store a list of known fingerprints. If a
contact requests a secure OTR-connection with a different fingerprint (e.g. in
case of a man-in-the-middle attack) a warning is shown to the user.
The libotr has functions for managing fingerprints, so most clients will have
implemented this.
timo.
More information about the Psi-Devel
mailing list