[guardian-dev] gibberbot, OTR, xmpp, android in general

[shmick at riseup.net]

hello all,

i have a lot of things floating around that im really unable to answer
critically without the required level of knowledge

essentially, i make use of your fantastic gibberbot 0.0.11-RC5 (i
currently can't update to chat secure due to phone storage) and chat
connected to jabber.ccc.de [1] as an example

packet traces show that gibberbot presents 35 cipher suites to offer and
eventually my session is secured with TLS_RSA_WITH_RC4_128_MD5; an SSLv3
suite

what i can say is that if my browser was using this suite over 'https'
it would generally be accepted as insecure but i just don't know enough
about jabber/xmpp et al to say when using 'OTR' whether it would be safe

does OTR always use forward secrecy and is this suite safe even though
it's RC4 with MD5 ? i can only surmise that since the negotiated suite
is not an ECDHE, DHE or EDH one then how would forward secrecy occur ?

why does gibberbot even need to offer RC4_40, DES40 and empty negotiation ?

i read [2] once that android and the underlying java sub system overides
all the cipher suites 'iff' the client is not coded/created in a way
that presents its own preferences

so i assume gibberbot does not override the android and java default
insecure protocols or are there improvements in chatsecure ?

how could this have even been approved into android (out comes the tin
foil hat; not taking it off just yet)

[1] http://xmpp.net/result.php?domain=jabber.ccc.de&type=client
[2] http://op-co.de/blog/posts/android_ssl_downgrade/