Re: [Security] TLS Certificates Verification

Tue, 19 Aug 2008 13:19:32 -0700 

Encryption isn't bound to a format. You can encrypt a <body/> tag just as 
easily as you could encrypt all child tags, or indeed a bitmap or jpeg image. 
Only encrypting the <body> tag is a failure on part of the implementors, not 
the inventors? No?

Saying that OTR is useless because current implementations only encrypt the 
<body> tag is as good as saying that *AES is useless* because _my_ program only 
encrypts the first five letters of a text document.

In other words:
<message from="[EMAIL PROTECTED]" to="[EMAIL PROTECTED]">
  <body>Meet me in the courtyard.</body>
  <html xmlns='http://jabber.org/protocol/xhtml-im'>
    <body xmlns='http://www.w3.org/1999/xhtml'>
      <p style='font-weight:bold'>Meet me in the courtyard</p>
    </body>
  </html>
</message>
==
<message from="[EMAIL PROTECTED]" to="[EMAIL PROTECTED]">
  <encrypted>adbndpbc098123</encrypted>
  <html xmlns='http://jabber.org/protocol/xhtml-im'>
    <body xmlns='http://www.w3.org/1999/xhtml'>
      <p style='font-weight:bold'>Meet me in the courtyard.</p>
    </body>
  </html>
</message>

Should be:

<message from="[EMAIL PROTECTED]" to="[EMAIL PROTECTED]">
  <body>Meet me in the courtyard.</body>
  <html xmlns='http://jabber.org/protocol/xhtml-im'>
    <body xmlns='http://www.w3.org/1999/xhtml'>
      <p style='font-weight:bold'>Meet me in the courtyard</p>
    </body>
  </html>
</message>
==
<message from="[EMAIL PROTECTED]" to="[EMAIL PROTECTED]">
  <encrypted>adbndpbc098124</encrypted>
</message>

Or even better:
<encrypted from="[EMAIL PROTECTED]" to="[EMAIL PROTECTED]">
  <encrypted><!-- B64 of whole message tag here --></encrypted>
</encrypted>

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan 
Schleifer
Sent: Tuesday, August 19, 2008 10:05 PM
To: XMPP Security
Subject: Re: [Security] TLS Certificates Verification

Am 19.08.2008 um 21:59 schrieb Jonathan Dickinson:

> I just watched the OTR webcast. It is actually pretty well thought
> out.

ESessions is more or less OTR done right (not so hacky etc.). They have 
extremely much in common. In fact, ESessions was designed to have something 
like OTR, but the Jabber way.

 > And it does what we want.

It clearly does NOT. It only supports encryption of the <body> element. But 
uses HTML in that etc.

--
Jonathan

Reply via email to