On Thu, Jul 11, 2013 at 1:23 AM, [email protected] <[email protected]>wrote:
> create connections between the browsers without requiring a handshake > server nor > parasiting other public services, and they commented me that "connect > clients P2P wihout initially locating each other using a server is a > big deal. Enough that it probably should be done in a new working > group". The largest outstanding question is how you handle MitM attacks. Without another secure service to broker the connection, you need some way of verifying you're talking to who you expect. At the very least, this should require some kind of popup requesting users to somehow magically verify each others' public keys. In practice, I think this sort of approach doesn't work. People will always click yes. But if you cache their choice, it provides a sort of continuity of keys, so at least if they managed to get the connection set up securely once, it will be secure in the future. -- Tony Arcieri
_______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
