[Security] TLS Certificates Verification

Jonathan Dickinson jonathanD at k2.com
Tue Aug 19 15:16:52 CDT 2008


Encryption isn't bound to a format. You can encrypt a <body/> tag just as easily as you could encrypt all child tags, or indeed a bitmap or jpeg image. Only encrypting the <body> tag is a failure on part of the implementors, not the inventors? No?

Saying that OTR is useless because current implementations only encrypt the <body> tag is as good as saying that *AES is useless* because _my_ program only encrypts the first five letters of a text document.

In other words:
<message from="romeo at foo.org" to="juliet at foo.org">
  <body>Meet me in the courtyard.</body>
  <html xmlns='http://jabber.org/protocol/xhtml-im'>
    <body xmlns='http://www.w3.org/1999/xhtml'>
      <p style='font-weight:bold'>Meet me in the courtyard</p>
    </body>
  </html>
</message>
==
<message from="romeo at foo.org" to="juliet at foo.org">
  <encrypted>adbndpbc098123</encrypted>
  <html xmlns='http://jabber.org/protocol/xhtml-im'>
    <body xmlns='http://www.w3.org/1999/xhtml'>
      <p style='font-weight:bold'>Meet me in the courtyard.</p>
    </body>
  </html>
</message>

Should be:

<message from="romeo at foo.org" to="juliet at foo.org">
  <body>Meet me in the courtyard.</body>
  <html xmlns='http://jabber.org/protocol/xhtml-im'>
    <body xmlns='http://www.w3.org/1999/xhtml'>
      <p style='font-weight:bold'>Meet me in the courtyard</p>
    </body>
  </html>
</message>
==
<message from="romeo at foo.org" to="juliet at foo.org">
  <encrypted>adbndpbc098124</encrypted>
</message>

Or even better:
<encrypted from="romeo at foo.org" to="juliet at foo.org">
  <encrypted><!-- B64 of whole message tag here --></encrypted>
</encrypted>

-----Original Message-----
From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On Behalf Of Jonathan Schleifer
Sent: Tuesday, August 19, 2008 10:05 PM
To: XMPP Security
Subject: Re: [Security] TLS Certificates Verification

Am 19.08.2008 um 21:59 schrieb Jonathan Dickinson:

> I just watched the OTR webcast. It is actually pretty well thought
> out.

ESessions is more or less OTR done right (not so hacky etc.). They have extremely much in common. In fact, ESessions was designed to have something like OTR, but the Jabber way.

 > And it does what we want.

It clearly does NOT. It only supports encryption of the <body> element. But uses HTML in that etc.

--
Jonathan


More information about the Security mailing list