[guardian-dev] gibberbot, OTR, xmpp, android in general
Nathan of Guardian
nathan at guardianproject.info
Mon Dec 2 14:45:45 EST 2013
On 12/02/2013 01:46 PM, shmick at riseup.net wrote:
> does OTR always use forward secrecy and is this suite safe even though
> it's RC4 with MD5 ? i can only surmise that since the negotiated suite
> is not an ECDHE, DHE or EDH one then how would forward secrecy occur ?
> why does gibberbot even need to offer RC4_40, DES40 and empty negotiation ?
You are confusing the OTR encryption that happens within the XMPP
message contents itself, with the SSL/TLS transport layer encryption
that occurs between Gibberbot/ChatSecure and the XMPP server.
What you are seeing is the sub-optimal TLS ciphersuites that Android
offers by default. We are aware of this, and have addressed it in the
most recent ChatSecure builds.
The forward secrecy you seek is happening at the OTR layer. If the XMPP
server also supports it at the TLS layer, then we can also support it
there, and prefer it now.
> i read [2] once that android and the underlying java sub system overides
> all the cipher suites 'iff' the client is not coded/created in a way
> that presents its own preferences
Here is the code we are now using to specify our own:
Patch for SMACK/ASMACK XMPP Library:
https://github.com/guardianproject/asmack/blob/master/patch/51-enable-custom-ciphers.patch
The custom suites of ciphers we specify:
https://github.com/guardianproject/ChatSecureAndroid/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/XMPPCertPins.java#L9
Thanks for the question!
+n
More information about the Guardian-dev
mailing list