[Psi-Devel] QT Messenger Join Venture

[Andreas Ntaflos]

On Tuesday 23 October 2007 16:21:38 Remko Tronçon wrote:
> > Serverless IM presumably would feature encryption on the transport level
> > somehow so it woud be easier and more secure "out of the box", without
> > users having to set up end-to-end encryption manually.
>
> Weird as it may sound, serverless IM is *a lot* more subject to
> security attacks than server-based IM, unless you check identity
> thoroughly (something that is easier to check in the server-based
> case). Bottom line: you need end-to-end encryption to be perfectly
> safe, and if you have that, you might as well use server-based IM.

Of course. All serverless IM protects you against is a malicious admin, and 
some derivations thereof (for example an overly nosey employer). 

Nonetheless a well-designed, well-implemented serverless IM protocol (not 
talking about XEP-0147 now, which is something else entirely) would probably 
go a long way to ensure enhanced security with less responsibilities on the 
user-side, but an ultimate solution it certainly cannot be (and far be it 
from me to know how to design and implement such a system). 

And, as Hal mentioned, most P2P and distributed systems can be attacked with 
fake clients and honeypots so the advantage of not having a dirty admin on a 
server is probably outweighed by much by the disadvantages of a DHT-based 
system. 

You are of course right, the only really safe choice is end-to-end encryption 
initiated by the user.

Anyway, I was just trying to articulate what I think Michael Schmidt's point 
was. :)

Andreas
-- 
Andreas "daff" Ntaflos
Vienna, Austria

GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC  7E65 397C E2A8 090C A9B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.affinix.com/pipermail/psi-devel-affinix.com/attachments/20071023/e9b1331d/attachment-0001.pgp