[guardian-dev] Gibberbot: add strong encryption level
Satz Klauer
satzklauer at googlemail.com
Wed Oct 9 01:28:23 EDT 2013
On Tue, Oct 8, 2013 at 5:07 PM, Michael Rogers <michael at briarproject.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> But OTR has an advantage over the suggested approach: if a phone is
> lost/seized/etc, previous conversations can't be decrypted.
Sorry, I don't agree with you. Servers are "secured" by self-signed
certificates mainly. If not the whole certificate thingy itself is not
secure (as we have seen last years where certificate authorities have
been hacked and crackers have created their own, fully valid but wrong
certificates).
So key exchange is done via an insecure channel, a person does not
know who gets the key or if there is a man in the middle. So this
mechanism provides some elusory security.
That's why I suggested to manage these keys local, to have really
strong keys with more than 2048 bits and to do key exchange via
Bluetooth (and therefore with face-to-face verification) only.
More information about the Guardian-dev
mailing list