Re: [opensource-dev] Encrypted chat & third-party servers
On Wed, Aug 25, 2010 at 10:16:22PM -0700, Erik Anderson wrote: > " at the end (this is > ). I'm guessing that it > is > thought that no one would notice these unless they were looking for them. Surely you mean ? Because after a quick look it's clear that is the '0' and a '1', so that my version spells 01000101010001010010 = 4F 54 52 = ascii for "OTR" -- Carlo Wood ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
Well, looking at the spec that was linked earlier in this thread... When someone is using a TPV that can do OTR (and the user has indicated a willingness to use it), then many(all?) their chats will have " " at the end (this is ). I'm guessing that it is thought that no one would notice these unless they were looking for them. If someone wants to begin encryption with someone they think can handle OTR (is this "coming out of the closet?") then they send "?OTR?v2?" as a chat. I'm guessing that if a TPV doesn't see those spaces or doesn't get the response it expects from its query, that it figures out the other person doesn't support OTR? On Wed, Aug 25, 2010 at 6:39 PM, Carlo Wood wrote: > Nevermind, I should have read the rest of the thread first. > Looks like a pretty solid protocol. > > Does anyone know if it is possible for an arbitrary TPV > to start an OTR with another TPV? If so, how? Or is it > needed to be recognized by the other viewer as being > a viewer that has OTR implemented? > > How do two viewer know if they both can do OTR? > > On Thu, Aug 26, 2010 at 02:53:25AM +0200, Carlo Wood wrote: > > On Wed, Aug 25, 2010 at 01:59:49PM -0700, Brian McGroarty wrote: > > > Has anyone spent time looking at the encrypted chat feature included in > some > > > third-party viewers? It's my understanding that this contacts > third-party > > > servers in obtaining and validating keys. Is that correct? > > > > If that is correct, then I'm pretty sure that the owners of > > those servers have access to a key that would allow them > > to read the encrypted messages. Imho, that is not acceptable :p > > > > Perhaps in time I'll be interested to implement a better > > method. > > > > Carlo Wood (author of libecc > http://libecc.sourceforge.net/reference-manual/index.html) > > ___ > > Policies and (un)subscribe information available here: > > http://wiki.secondlife.com/wiki/OpenSource-Dev > > Please read the policies before posting to keep unmoderated posting > privileges > > -- > Carlo Wood > ___ > Policies and (un)subscribe information available here: > http://wiki.secondlife.com/wiki/OpenSource-Dev > Please read the policies before posting to keep unmoderated posting > privileges > ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
Nevermind, I should have read the rest of the thread first. Looks like a pretty solid protocol. Does anyone know if it is possible for an arbitrary TPV to start an OTR with another TPV? If so, how? Or is it needed to be recognized by the other viewer as being a viewer that has OTR implemented? How do two viewer know if they both can do OTR? On Thu, Aug 26, 2010 at 02:53:25AM +0200, Carlo Wood wrote: > On Wed, Aug 25, 2010 at 01:59:49PM -0700, Brian McGroarty wrote: > > Has anyone spent time looking at the encrypted chat feature included in some > > third-party viewers? It's my understanding that this contacts third-party > > servers in obtaining and validating keys. Is that correct? > > If that is correct, then I'm pretty sure that the owners of > those servers have access to a key that would allow them > to read the encrypted messages. Imho, that is not acceptable :p > > Perhaps in time I'll be interested to implement a better > method. > > Carlo Wood (author of libecc > http://libecc.sourceforge.net/reference-manual/index.html) > ___ > Policies and (un)subscribe information available here: > http://wiki.secondlife.com/wiki/OpenSource-Dev > Please read the policies before posting to keep unmoderated posting privileges -- Carlo Wood ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
On Wed, Aug 25, 2010 at 01:59:49PM -0700, Brian McGroarty wrote: > Has anyone spent time looking at the encrypted chat feature included in some > third-party viewers? It's my understanding that this contacts third-party > servers in obtaining and validating keys. Is that correct? If that is correct, then I'm pretty sure that the owners of those servers have access to a key that would allow them to read the encrypted messages. Imho, that is not acceptable :p Perhaps in time I'll be interested to implement a better method. Carlo Wood (author of libecc http://libecc.sourceforge.net/reference-manual/index.html) ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/25/2010 5:44 PM, Oz Linden (Scott Lawrence) wrote: > The changes we've requested primarily concern the re-establishment of > trust between the Emerald development team, Linden Lab, and the Second > Life resident community. If you believe that you're complying with the > Third Party Viewer Policy, then you're fine. Oh good, good. Their blog post today made me thing large code changes were required, which didn't make a whole lot sense. Thanks for clearing that up for me. :3 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMdbp6AAoJEIdLfPRu7qE21WUH/ju+yemFsgZthqkN7WSOumun toTgtWEWWoO/zm25jc4k7TpAwr47ROqNpwQBZcit+icbbNItUQT829gc+8A+yx8J CcCDHPZ01gE/vEmgDgByXAx5crbbX1tczUKTPpfy4PuTyQ4Ewhl8Y5CT+XMQmyFi 4HYxlrKegy+D/0zjsSP/IHwP2+kJbuP1dv8OZgsSAbs7zyf6H/I0NplK0CWOegOu c8XPj+gpJ5WR7TBVGSsB44kEh9UW/1tZMvdhbj679h25JisCTV9ftfoHExItsEF5 lWf5N5lxzbHVt88yMgUdkz2kcRYENcaVe6maNf/MnDGsHQ1qVi3A09is4TyPviI= =32k1 -END PGP SIGNATURE- ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
On 2010-08-25 20:02, Kadah wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 8/25/2010 3:11 PM, Oz Linden (Scott Lawrence) wrote: >>On 2010-08-25 17:14, Kadah wrote: >>>Do they get >>> special (more restrictive?) rules than other TPVs just because its popular? >> No. > Good to know, Oz. Thanks. > Will we get to know what the requested changes were some time soon so > the rest of us can be sure not to run afoul of them in the future? Many > TPVs are either are based off Emerald, use a lot/some of its code, or > duplicates similar features. The changes we've requested primarily concern the re-establishment of trust between the Emerald development team, Linden Lab, and the Second Life resident community. If you believe that you're complying with the Third Party Viewer Policy, then you're fine. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/25/2010 3:11 PM, Oz Linden (Scott Lawrence) wrote: > On 2010-08-25 17:14, Kadah wrote: >> Do they get >> special (more restrictive?) rules than other TPVs just because its popular? > No. Good to know, Oz. Thanks. Will we get to know what the requested changes were some time soon so the rest of us can be sure not to run afoul of them in the future? Many TPVs are either are based off Emerald, use a lot/some of its code, or duplicates similar features. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMda8aAAoJEIdLfPRu7qE22EAIAISxjFVmRkLOHqbNbK5dGdNF OkFND9OjYcMV6KbCDokwiH7OEpw124AmGcuyAHi+hAQNPW18LvP4f6vzSg+ZpL77 F5elu4YOYHcNc5MSQRulfEqGTVYhWCGwVOkU51sjtPHSEIyWICgUH16ZjPgW9bby lsrvtT3zqrCRUleQGS70mQj/snd6yylcurg6M5nw8wpg7T1JczLws4YFWCvuFCep dnAbRE1d6c1kzyyQyTm9imLm999xNhcrhuVonYo2hcACpVkhjR7QAKv8t396GKIH BIH9+MljdYjf2C5VuoZJrCGnPb3/sdEgLwAJk4EE9VJ/Duwq2E8I5cHe9qwn7Lc= =Lzww -END PGP SIGNATURE- ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I would expect that it being more popular just puts more eyes on it. On 25/8/2010 19:11, Oz Linden (Scott Lawrence) wrote: > On 2010-08-25 17:14, Kadah wrote: >> Do they get >> special (more restrictive?) rules than other TPVs just because its popular? > No. > > ___ > Policies and (un)subscribe information available here: > http://wiki.secondlife.com/wiki/OpenSource-Dev > Please read the policies before posting to keep unmoderated posting privileges > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEAREKAAYFAkx1mE0ACgkQ8ZFfSrFHsmWgnACfbwe4OyY/FV+iETlmMVpUBZa+ AfcAnR6MWkac6zeZDm+aBEloo35c9VpK =pTxb -END PGP SIGNATURE- ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
On 2010-08-25 17:14, Kadah wrote: > Do they get > special (more restrictive?) rules than other TPVs just because its popular? No. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
On 8/25/10, Brian McGroarty wrote: > Has anyone spent time looking at the encrypted chat feature included in some > third-party viewers? It's my understanding that this contacts third-party > servers in obtaining and validating keys. Is that correct? If so, do these > connections share any information about the user that we should require to > be disclosed per section 4.b of the TPV Policy?[1] I haven't looked too closely at the encrypted chat in Emerald and similar viewers, but my understanding is that it - and all the other third-party viewers - use OTR in a fairly standard way. OTR is deliberately designed not to use any third party server to obtain or validate keys - instead, it provides a way for pairs of OTR users to validate each other's keys directly with each other[2]. All communication happens over the underlying IM protocol, in this case Second Life IMs. Unless someone's really screwed up the implementation in one of the viewers, OTR should have no interesting privacy implications whatsoever. OTR keys are designed to be per-account (so provide no way of matching up alts) and the encryption scheme used carefully avoids non-repudiation; that is, neither party can use it to prove what the other said to a third party after the fact any more than they could with plain-text IMs. It's basically pretty benign. [1] NMF. [2] Specifically, it uses the Socialist Millionaire Protocol to verify the keys, using a piece of information that only the two people know. See http://en.wikipedia.org/wiki/Socialist_millionaire - note that neither the secret answer nor any information that could usefully help to determine it is ever shared with the other party! ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
Some of the TPVs implement the OTR protocol for encrypted messaging: http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html This does not involve 3rd party servers, or disclose information. In fact it's designed not to disclose anything, ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/25/2010 1:59 PM, Brian McGroarty wrote: > Has anyone spent time looking at the encrypted chat feature included in > some third-party viewers? It's my understanding that this contacts > third-party servers in obtaining and validating keys. Is that correct? > If so, do these connections share any information about the user that we > should require to be disclosed per section 4.b of the TPV Policy?[1] > > [1] http://secondlife.com/corporate/tpv.php#priv4 I don't think OTR does. From what I remember seeing in its source is that the user has to self-certify that the other user's key is one they trust. I think that was hacked in later versions of Emerald to not require as much user internaction, but I hadn't testing it much after that, I don't use OTR in my viewer code. I wonder if it was at all part of the close door list of changes they must make to get relisted. It seems to me that anything on there would apply just as much to any other TPV as it does to Emerald. Do they get special (more restrictive?) rules than other TPVs just because its popular? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMdYe4AAoJEIdLfPRu7qE2uFkH/1j3cS7g3OeMJOfbVcGDEjun 6hk5i8Iacy/mQOJF+TQf5bz49uW24f+7NK0HX+evhtWMElnAJiAguC/twNXsHz6M uWHDTDE11DWw5vT/vs6/MPvlZF+TYvtuvsQ3RBOTnmu48IVIVW1n8o6g/BTFjII5 bUB60C3p7p0c5CA5jK4k13HVuuZE90jaS1i61cbqXRalJ9YffQOpKM2Bc8gHEL1N NlPf2kraIcfedper86bFOBtYaePchVa7hCdGjDt+vMUxDlTeEhuTy+oDob6w/0Xa YKhfZGkV5+jahANrpqYg95uEx+4SxOWeTeBBhrGazPyDaFtJOO8FWMxq8BuM3HQ= =z9vM -END PGP SIGNATURE- ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Encrypted chat & third-party servers
On Wed, Aug 25, 2010 at 4:59 PM, Brian McGroarty wrote: > Has anyone spent time looking at the encrypted chat feature included in some > third-party viewers? you mean like THAT VIEWERs OTR feature?? 1 its badly broken anyway 2 it does not have a keyserver all keys are current session only (even the logs are scrambled) in this case no TPVP issues develop Now in the case of a keyserver using protocol then exactly what is being transmitted should be listed. In the case of OTR http://www.cypherpunks.ca/otr/ would be the best reference -- Robert L Martin ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
[opensource-dev] Encrypted chat & third-party servers
Has anyone spent time looking at the encrypted chat feature included in some third-party viewers? It's my understanding that this contacts third-party servers in obtaining and validating keys. Is that correct? If so, do these connections share any information about the user that we should require to be disclosed per section 4.b of the TPV Policy?[1] [1] http://secondlife.com/corporate/tpv.php#priv4 -- Brian McGroarty | Linden Lab Sent from my Newton MP2100 via acoustic coupler ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges