[guardian-dev] serverless P2P OTR (re: serverless XMPP)

Mon Jun 25 09:14:34 EDT 2012

> Wouldn't the relay server know all about who you are talking to?

In "OTR mode", the relay server is not able to collect any knowledge
about it's users. All it sees are two IP addresses and that two parties
are using the same magic string for matching. But these attributes are
likely to change between sessions. Disadvantage: both users need to
agree upon a magic string using a different channel.

> How do you manage the buddy list in a p2p way?

In "Stored key mode" users do not need to agree on a magic string. You
pick one entry and expect the other party to do the same. Disadvantage:
the relay server will be able to see the key fingerprint strings.
However, doing an OTR connect (say once a month) will create new keys on
both ends. It's much easier to create new keys than it is to change your
IM account.

> And how do you discover where a given person is when they move around
networks?

The relay server really only provides a mechanism for two anonymous
parties to match so they can learn about their IP addresses and be able
to connect directly. An upcoming release of P2pChat will offer an option
to run all communication in relayed fashion. This may be useful, if you
want to hide your chat partner from your ISP.

The key to anonymity is to offer such a service free to anyone and not
require user accounts. I am not able to actually run such a service.
Please consider this project an experiment.

Timur

On 22.06.2012 01:16, Hans-Christoph Steiner wrote:
> 
> Sounds interesting. How do you manage the buddy list in a p2p way?  And how do you discover where a given person is when they move around networks?
> 
> Wouldn't the relay server know all about who you are talking to?
> 
> .hc
> 
> On May 8, 2012, at 6:15 AM, Timur wrote:
> 
>> Hi, I just uploaded a new P2P OTR chat application to the Market (aka
>> Play). It's called "P2pChat" [1].
>>
>> End-to-end encryption is all nice, but I was always a little unhappy
>> about the fact that communication patterns (who; when; how long) are
>> being revealed to the instant messaging operator. To use P2pChat, you
>> don't need an account. This also very much simplifies setup. In fact,
>> there is not a single configurable setting currently. You do need your
>> OTR secret, however.
>>
>> The app makes use of a relay server. The relay server helps clients to
>> find each other. It also allows the clients to learn about their public
>> ip and port numbers. Clients will detach from the relay server as soon
>> as a direct P2P connection has been established.
>>
>> In addition to OTR, the app also provides a PGP type encryption mode
>> (called "Stored key connect"). When you do an OTR connect for the first
>> time, the two public keys (automatically generated, but not required in
>> OTR mode) are automatically exchanged. This allows you to also use fixed
>> key encrypted communication whenever you want to. (One advantage of
>> fixed key encryption is, that you can go online and become connectable
>> to multiple parties. However, this is not yet implemented.)
>>
>> The app is written ins Scala and consists of three separate
>> repositories: P2pCore [2], P2pChatOTR [3] and P2pChatAndroid [4].
>>
>> Anybody willing to take a look, maybe share a comment?
>> Thank you and kind regards,
>> Timur
>>
>> [1] https://play.google.com/store/apps/details?id=timur.p2pChat
>> [2] https://github.com/mehrvarz/P2pCore
>> [3] https://github.com/mehrvarz/P2pChatOTR
>> [4] https://github.com/mehrvarz/P2pChatAndroid
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>        Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>        Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>
>> You are subscribed as: hans at guardianproject.info
> 