[guardian-dev] gibberbot, OTR, xmpp, android in general

Lee Azzarello lee at guardianproject.info
Mon Dec 2 18:39:06 EST 2013 

Another description is that GibberBot differentiates between /content/
and /context/. The XMPP layer is the context, while the OTR encrypted
messages are the content. OTR content has forward secrecy, XMPP
context usually does not since it depends on a server for user
registration/location. PFS in the TLS layer depends on support along
the full network path. Not coincidently, this is the same issue in
VoIP communications.

Regards,
Lee

On Mon, Dec 2, 2013 at 2:45 PM, Nathan of Guardian
<nathan at guardianproject.info> wrote:
> On 12/02/2013 01:46 PM, shmick at riseup.net wrote:
>> does OTR always use forward secrecy and is this suite safe even though
>> it's RC4 with MD5 ? i can only surmise that since the negotiated suite
>> is not an ECDHE, DHE or EDH one then how would forward secrecy occur ?
>> why does gibberbot even need to offer RC4_40, DES40 and empty negotiation ?
>
> You are confusing the OTR encryption that happens within the XMPP
> message contents itself, with the SSL/TLS transport layer encryption
> that occurs between Gibberbot/ChatSecure and the XMPP server.
>
> What you are seeing is the sub-optimal TLS ciphersuites that Android
> offers by default. We are aware of this, and have addressed it in the
> most recent ChatSecure builds.
>
> The forward secrecy you seek is happening at the OTR layer. If the XMPP
> server also supports it at the TLS layer, then we can also support it
> there, and prefer it now.
>
>> i read [2] once that android and the underlying java sub system overides
>> all the cipher suites 'iff' the client is not coded/created in a way
>> that presents its own preferences
>
> Here is the code we are now using to specify our own:
>
> Patch for SMACK/ASMACK XMPP Library:
> https://github.com/guardianproject/asmack/blob/master/patch/51-enable-custom-ciphers.patch
>
> The custom suites of ciphers we specify:
> https://github.com/guardianproject/ChatSecureAndroid/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/XMPPCertPins.java#L9
>
> Thanks for the question!
>
> +n
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>
> You are subscribed as: lee at guardianproject.info

More information about the Guardian-dev mailing list