[Security] Gajim 0.12's E2E encryption UI
Pedro Melo
melo at simplicidade.org
Sat Aug 23 07:30:44 CDT 2008
On Aug 23, 2008, at 9:39 AM, Jonathan Schleifer wrote:
> Am 23.08.2008 um 00:34 schrieb Pedro Melo:
>
>> As for UI for the SAS exchange, I'm partial to the use of the
>> Mnemonic encoder with a GUI like this: http://mooseyard.com/Jens/
>> 2008/04/cloudy-verification/ (page down, about three or four
>> screens).
>
> That idea is pretty smart. The user can't just click ok. The other,
> wrong combinations of words a generated locally, I hope?
Yes. Its not specified on the post, but I assume that you run some
xor a couple of times and generate the mnemonic of those values and
show them to the user.
Or barrel shift the word. take your pick. As long as you make sure
you don't end up with the same 32bit value :)
> But what about the case clicking the right one without verifying?
> With just a few possible answers, that's quite likely.
Increase the list and place the correct one in a random position.
Don't put the correct one always at the top. I don't think you can do
better than that and keep it simple.
See the comments on the post. Jens actually talks about that. I agree
with him. If you want complete assurance, you might as well force the
user the compare the full sig.
BTW, the only think I would add to that UI would be a
"Advanced" (hidden by default) section where you could find the full
sig, for real security conscious users.
Best regards,
--
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org
Use XMPP!
More information about the Security
mailing list