[Juser] Anonimity in Jabber?

Peter Saint-Andre stpeter at jabber.org
Wed Mar 23 10:38:02 CST 2005


On Wed, Mar 23, 2005 at 07:41:02AM -0500, Daniel Carrera wrote:

> I have a question. I'm looking for an IM alternative that can provide 
> privacy. I already plan to use Gaim with the OTR plugin to get encryption. 
> So that's not a problem. So all that's left is the anonimity of the 
> client's IP address. Since Jabber users intermediary servers, I hope that 
> Jabber can provide this.
> 
> Consider, for example, Romeo and Juliet talking:
> 
>    romeo -> montague.net -> capulet.org -> juliet
> 
> Juliet suspects that Tybalt has root access to the Capulet server, and is 
> plotting to kill Romeo. Tybalt can't read their conversation because they 
> are using OTR. But if he could get Romeo's client IP, he could find his 
> location and slay him.
> 
> If Romeo and Juliet used Jabber, would Romeo's IP be safe from Tybalt?

If Tybalt has root access to the capulet.org server, he can know
Juliet's IP address but he cannot know Romeo's IP address. On this
point, see section 14.3 of RFC 3920

   The IP address and method of access of clients MUST NOT be 
   made public by a server, nor are any connections other than 
   the original server connection required.  This helps to protect 
   the client's server from direct attack or identification by 
   third parties.

BTW, I've been talking with the OTR guys on "jabberizing" their protocol
for use in a wider variety of clients (not just Gaim).

Oh, and thanks for the Shakespeare examples. :-)

Peter




More information about the JUser mailing list