[Jingle] Jingle / e2e security (1)

Pavel Simerda pavlix at pavlix.net
Wed Feb 11 07:46:17 CST 2009


One might not want to use MD5 even with big quantity of bits, these
days :).

Pavel

On Wed, 11 Feb 2009 11:25:18 +0100
Earl <Large.Files at gmx.net> wrote:

> Pavel,
> 
> you misunderstood me, we are both on the same exact frequency.
> 
> Everyone is stupid, including myself.  I learn constantly, but I, as 
> everyone else
> will die stupid.  Life is not long enough to become intelligent.
> 
> Although I like ZRTP very much, it can be better or worse depending on
> the hash utilized, as well as the number of bits.  As usual, 
> *implementation*
> is extremely important.  One would not want to use MD5 with small
> quantity of bits, for example.
> 
> Regards, Earl
> 
> Pavel Simerda wrote:
> > On Sun, 08 Feb 2009 14:28:31 +0100
> > Earl <Large.Files at gmx.net> wrote:
> >
> >   
> >> Pavel,
> >>
> >>     
> >
> > I'm afraid you are both misinterpreting what I have written and
> > underestimating me.
> >
> >   
> >> One has to distinguish between encryption and security.
> >>     
> >
> > Doesn't this perfectly fit in what I have already said?
> >
> >   
> >> It is possible to use encryption and have zero security.
> >>     
> >
> > And this just as well?
> >
> >   
> >> There is a lot of confusion and psychological effect with SSL/TLS.
> >> Since TLS can not provide security, it should be called TLE =
> >> Transport Layer Encryption.  Putting the word security in the name
> >> of a protocol is like putting "democratic" in the name of a country
> >> or putting "patriot" in the name of a law.
> >>     
> >
> > That's plain politics.
> >
> >   
> >> end 2 end encryption has absolutely no relationship with end to end
> >> security,
> >>     
> >
> > This statement looks plain wrong to me (even when continued)
> >
> >   
> >> unless men in the middle can be detected.
> >>     
> >
> > This ending is too general to give any useful information.
> >
> >   
> >> Detecting and/or eliminating men in the middle is a necessary part
> >> of Jabber/XMPP security.
> >>     
> >
> > That's the first thing I could agree (though I would choose
> > different wording).
> >
> >   
> >> Why do people not read or understand what Phil Zimmermann has to
> >> say ? 
> >
> > You'd better bring something helpful than trying to say other
> > people they're stupid (or at least uninformed), EVEN if you were
> > right.
> >
> >   
> >> Earl
> >>     
> >
> > Thanks, Pavel
> >
> >   
> >> Pavel Simerda wrote:
> >>     
> >>> TLS is only a tool that can be used in a security-aware
> >>> environment. It doesn't provide good security per se.
> >>>
> >>> On Thu, 15 Jan 2009 22:16:43 -0500
> >>> "Stephen Pendleton" <pendleto at movsoftware.com> wrote:
> >>>
> >>>   
> >>>       
> >>>> -----Original Message-----
> >>>> From: jingle-bounces at xmpp.org [mailto:jingle-bounces at xmpp.org] On
> >>>> Behalf Of Earl
> >>>> Sent: 01/14/2009 4:35 PM
> >>>> To: XMPP Jingle
> >>>> Subject: [Jingle] Jingle / e2e security (1)
> >>>>
> >>>>
> >>>> Peter,
> >>>>
> >>>> I have seen a company selling a hw firewall, targeted at
> >>>> corporations that want to read
> >>>> all SSL and TLS traffic.  This firewall only performed the man in
> >>>> the middle listening
> >>>> and let the corporation see all SSL and TLS encrypted traffic in
> >>>> the clear.  I have serious
> >>>> doubts that SSL or TLS can really provide any security.  I mean
> >>>> this firewall was being
> >>>> sold by a very small Chinese company, so you can imagine what
> >>>> organized crime and
> >>>> governments can do.
> >>>>
> >>>> --------------------------
> >>>> There are such devices but they require the keys to be uploaded
> >>>> to the device. Most likely the device you saw was of this
> >>>> variety. They are used so that organizations can monitor the
> >>>> encrypted traffic within their organizations.
> >
> >   
> 


-- 

Pavel Šimerda
Freelancer v oblasti počítačových sítí, komunikace a bezpečnosti
Web: http://www.pavlix.net/
Jabber & Mail: pavlix(at)pavlix.net
OpenID: pavlix.net


More information about the Jingle mailing list