Re: [Ring] Security issues

[Simon Désaulniers]

Hi,

Regarding the effect of OTR, Axolotl on PFS asked on the stackexchange post, I
have precised in an answer~[1] something that I thought unclear.

Regards,


[1]: https://security.stackexchange.com/a/163105/152206

On Thu, Jun 29, 2017 at 08:00:38AM -0400, Greg Troxel wrote:
> 
> Adrien Béraud <address@hidden> writes:
> 
> > Those security concerns, mainly coming from a Tox developer, are mostly 
> > unfounded IMO, 
> > but it's always a good practice to exchange with the community and to 
> > explain how Ring works. 
> >
> > I tried to answer the best I could in a reasonable length: 
> >
> > https://security.stackexchange.com/a/162603/151701 
> 
> Thanks for posting the link.  From previous discussions I understood
> about using ring keys to authenticate and PFS.
> 
> The comments about OTR and axolotl seem off base.  PFS is not that
> difficult in a system where peers are connected, which you need anyway
> for a voice call.  But I think this does lead to ring messaging only
> working if both parties are online/reachable at once.
> 
> I had either asked about the DHT address privacy issue, or thought I
> should and not sent the mail, but your answer also answers that.  As I
> suspected, you are agreeing that registering ring key/IP in the DHT
> allows someone to track what IP address that ring id has when.
> While I agree on the general point that there are tradeoffs and no
> perfect approaches, I see this as significant.
> 
> It would be good for ring.cx's website to have a security page that's
> basically a slight expansion of your stackexchange answer, where a user
> could understand the key points of peer authentication, encryption/pfs,
> and exposure of IP address.
> 
> 



-- 
Simon Désaulniers
address@hidden
ring:d92721cd88395f7c4953004cde769c4976cbe82c

signature.asc
Description: PGP signature