Re: best way to secure communication?
On (23/05/06 01:58), lee wrote:
> On Sat, May 20, 2006 at 10:44:29PM +0100, James Westby wrote:
>
> > No metter how well the encryption is implemented on top of a protocol
> > like that it could be circumvented easily. For real security it has to
> > be designed in from the start.
>
> Yeah, I wondered why that has not been done. It's one of the first
> things to think of when creating any protocol that can be used to
> transfer information over insecure channels.
I doubt most users of IM programs do not want it.
> They seem to already have taken care of that by automizing the key
> exchange. We couldn't try it out yet because the other end had weird
> trouble downloading the software, but I guess it will work. Then we
> will need to compare the fingerprints, and should be 'sufficiently
> secure' for a first attempt.
But how will you compare the fingerprints? That needs to be done out of
the channel. I would suggest that email would be the best way. Get your
friend to email you the fingerprint, then you can check it came from the
email address they normally use (probably good if it's not the one used
for the IM). Otherwise, if you do it over the IM, the person at the
other end has just told you the fingerprint of the key they just sent,
not a very difficult task for an attacker.
--
James Westby
jw+debian@jameswestby.net
http://jameswestby.net/
Reply to: