On Tue, Aug 02 2016, Fredrik Alströmer <fals...@excu.se> wrote: > I would object slightly to calling it "securely", from what I can tell by a > quick glance at the code, the data is relayed through the authors private > server. The pass phrases seem to be fairly limited (chosen from a 512-entry > dictionary iiuc), simply spamming the the public endpoint with passwords > should net you something cool sooner or later.
Hi, Fredrik. Thanks for the comments. The fact that data is relayed through the author's private server should not compromise integrity of the data, since the data is actually encrypted end-to-end. The package also includes the server program itself so users can set up their own server rather than use the one provided by the author. The upstream author has attempted to explain the compromises involved in using relatively low-entropy password for the initial key exchange: http://www.lothar.com/%7Ewarner/MagicWormhole-PyCon2016.pdf https://youtu.be/dgnikoiau68 > Also, as a comment in the code suggests, the server might disappear at any > time so it's not intended for wide adoption. My intention is to put the package in experimental, so that we can gain deployment experience. I don't think that any of the concerns that you express should preclude us putting the package into experimental. jamie.
signature.asc
Description: PGP signature
