Hi, Regarding the effect of OTR, Axolotl on PFS asked on the stackexchange post, I have precised in an answer~[1] something that I thought unclear.
Regards, [1]: https://security.stackexchange.com/a/163105/152206 On Thu, Jun 29, 2017 at 08:00:38AM -0400, Greg Troxel wrote: > > Adrien Béraud <[email protected]> writes: > > > Those security concerns, mainly coming from a Tox developer, are mostly > > unfounded IMO, > > but it's always a good practice to exchange with the community and to > > explain how Ring works. > > > > I tried to answer the best I could in a reasonable length: > > > > https://security.stackexchange.com/a/162603/151701 > > Thanks for posting the link. From previous discussions I understood > about using ring keys to authenticate and PFS. > > The comments about OTR and axolotl seem off base. PFS is not that > difficult in a system where peers are connected, which you need anyway > for a voice call. But I think this does lead to ring messaging only > working if both parties are online/reachable at once. > > I had either asked about the DHT address privacy issue, or thought I > should and not sent the mail, but your answer also answers that. As I > suspected, you are agreeing that registering ring key/IP in the DHT > allows someone to track what IP address that ring id has when. > While I agree on the general point that there are tradeoffs and no > perfect approaches, I see this as significant. > > It would be good for ring.cx's website to have a security page that's > basically a slight expansion of your stackexchange answer, where a user > could understand the key points of peer authentication, encryption/pfs, > and exposure of IP address. > > -- Simon Désaulniers [email protected] ring:d92721cd88395f7c4953004cde769c4976cbe82c
signature.asc
Description: PGP signature
