[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ring] Security issues
|
From: |
Greg Troxel |
|
Subject: |
Re: [Ring] Security issues |
|
Date: |
Thu, 29 Jun 2017 08:00:38 -0400 |
|
User-agent: |
Gnus/5.130016 (Ma Gnus v0.16) Emacs/24.5 (berkeley-unix) |
Adrien Béraud <address@hidden> writes:
> Those security concerns, mainly coming from a Tox developer, are mostly
> unfounded IMO,
> but it's always a good practice to exchange with the community and to explain
> how Ring works.
>
> I tried to answer the best I could in a reasonable length:
>
> https://security.stackexchange.com/a/162603/151701
Thanks for posting the link. From previous discussions I understood
about using ring keys to authenticate and PFS.
The comments about OTR and axolotl seem off base. PFS is not that
difficult in a system where peers are connected, which you need anyway
for a voice call. But I think this does lead to ring messaging only
working if both parties are online/reachable at once.
I had either asked about the DHT address privacy issue, or thought I
should and not sent the mail, but your answer also answers that. As I
suspected, you are agreeing that registering ring key/IP in the DHT
allows someone to track what IP address that ring id has when.
While I agree on the general point that there are tradeoffs and no
perfect approaches, I see this as significant.
It would be good for ring.cx's website to have a security page that's
basically a slight expansion of your stackexchange answer, where a user
could understand the key points of peer authentication, encryption/pfs,
and exposure of IP address.
signature.asc
Description: PGP signature