[jdev] Safety Jabber Client
kevin at kismith.co.uk
Mon Jan 14 16:09:05 UTC 2013
On Mon, Jan 14, 2013 at 4:02 PM, Info . <triadacorp1 at googlemail.com> wrote:
> aboute securely you are exchange only public keys, not private...... u send
> public keys directly to your opponent by jabber..... (not to any server)
> in this way MITM attack will have no meaning.
> without private keys - nothing is impossible to decrypt...
I assume you mean that the user is not asked to verify the key
fingerprint out of band (else it wouldn't be automatic). If you're not
doing this, how can you guarantee that the public key belongs to the
right person and hasn't been MITMed? Do you mean that the keys are
sent peer to peer, without sending them through the XMPP stream? If
so, how are these P2P connections negotiated? If they're negotiated
over XMPP then the security profile is pretty much the same as if the
keys themselves were sent over XMPP too, isn't it?
More information about the JDev