[Security] Gajim 0.12's E2E encryption UI

Pedro Melo melo at simplicidade.org
Sat Aug 23 07:30:44 CDT 2008


On Aug 23, 2008, at 9:39 AM, Jonathan Schleifer wrote:

> Am 23.08.2008 um 00:34 schrieb Pedro Melo:
>
>> As for UI for the SAS exchange, I'm partial to the use of the  
>> Mnemonic encoder with a GUI like this: http://mooseyard.com/Jens/ 
>> 2008/04/cloudy-verification/ (page down, about three or four  
>> screens).
>
> That idea is pretty smart. The user can't just click ok. The other,  
> wrong combinations of words a generated locally, I hope?

Yes. Its not specified on the post, but I assume that you run some  
xor a couple of times and generate the mnemonic of those values and  
show them to the user.

Or barrel shift the word. take your pick. As long as you make sure  
you don't end up with the same 32bit value :)

> But what about the case clicking the right one without verifying?  
> With just a few possible answers, that's quite likely.

Increase the list and place the correct one in a random position.  
Don't put the correct one always at the top. I don't think you can do  
better than that and keep it simple.

See the comments on the post. Jens actually talks about that. I agree  
with him. If you want complete assurance, you might as well force the  
user the compare the full sig.

BTW, the only think I would add to that UI would be a  
"Advanced" (hidden by default) section where you could find the full  
sig, for real security conscious users.

Best regards,
-- 
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org
Use XMPP!




More information about the Security mailing list