[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ring] Security issues
From: |
Simon Désaulniers |
Subject: |
Re: [Ring] Security issues |
Date: |
Thu, 29 Jun 2017 17:56:54 -0400 |
User-agent: |
NeoMutt/20170306 (1.8.0) |
Hi,
Regarding the effect of OTR, Axolotl on PFS asked on the stackexchange post, I
have precised in an answer~[1] something that I thought unclear.
Regards,
[1]: https://security.stackexchange.com/a/163105/152206
On Thu, Jun 29, 2017 at 08:00:38AM -0400, Greg Troxel wrote:
>
> Adrien Béraud <address@hidden> writes:
>
> > Those security concerns, mainly coming from a Tox developer, are mostly
> > unfounded IMO,
> > but it's always a good practice to exchange with the community and to
> > explain how Ring works.
> >
> > I tried to answer the best I could in a reasonable length:
> >
> > https://security.stackexchange.com/a/162603/151701
>
> Thanks for posting the link. From previous discussions I understood
> about using ring keys to authenticate and PFS.
>
> The comments about OTR and axolotl seem off base. PFS is not that
> difficult in a system where peers are connected, which you need anyway
> for a voice call. But I think this does lead to ring messaging only
> working if both parties are online/reachable at once.
>
> I had either asked about the DHT address privacy issue, or thought I
> should and not sent the mail, but your answer also answers that. As I
> suspected, you are agreeing that registering ring key/IP in the DHT
> allows someone to track what IP address that ring id has when.
> While I agree on the general point that there are tradeoffs and no
> perfect approaches, I see this as significant.
>
> It would be good for ring.cx's website to have a security page that's
> basically a slight expansion of your stackexchange answer, where a user
> could understand the key points of peer authentication, encryption/pfs,
> and exposure of IP address.
>
>
--
Simon Désaulniers
address@hidden
ring:d92721cd88395f7c4953004cde769c4976cbe82c
signature.asc
Description: PGP signature