Re: best way to secure communication?
On Sat, May 20, 2006 at 10:44:29PM +0100, James Westby wrote:
> No metter how well the encryption is implemented on top of a protocol
> like that it could be circumvented easily. For real security it has to
> be designed in from the start.
Yeah, I wondered why that has not been done. It's one of the first
things to think of when creating any protocol that can be used to
transfer information over insecure channels.
> > better. The hard thing is to find out what can be considered as
> > 'sufficiently difficult'.
> That's a subjective thing.
> > someone would try to attack, he'd probably attack the other end since
> > it appears to be the weakest part.
> That's probably the case yes. But if you use end-to-end gpg encryption
> then you should be alright. As long as your friends aren't the sort of
> people who hand out their private keys to anyone that asks.
Well, I will have to instruct them not to do that, and to read gpg
documentation. Besides using the encryption plugin, I would like to
get to using gpg for mails.
> Without seeing it I would say that gpg meets your needs, and the authors
> of the plugin have probably done a good job of writing it.
I hope so ...
> My only concern would be the key distribution, but you can come up
> with a solution to that,
They seem to already have taken care of that by automizing the key
exchange. We couldn't try it out yet because the other end had weird
trouble downloading the software, but I guess it will work. Then we
will need to compare the fingerprints, and should be 'sufficiently
secure' for a first attempt.
> especially if you know who you want to talk to before you start.
Yes, I know that. I'm curious if there's any control about the
automatic key exchange. It should at least ask me if I want to allow