diff options
author | 2013-07-23 18:46:09 -0400 | |
---|---|---|
committer | 2013-07-23 18:46:09 -0400 | |
commit | bd9ef0f2530a848ff3f6a58a5e449b4e2b2209f8 (patch) | |
tree | 99f670e9265378da029377071db9c86d43a13faf /doc/design/assistant/xmpp_security.mdwn | |
parent | afa0d5c0d18f6f69ffbc55c26edde47b0c9ce949 (diff) |
roadmap for next year's work
Diffstat (limited to 'doc/design/assistant/xmpp_security.mdwn')
-rw-r--r-- | doc/design/assistant/xmpp_security.mdwn | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/doc/design/assistant/xmpp_security.mdwn b/doc/design/assistant/xmpp_security.mdwn new file mode 100644 index 000000000..6b2b728f2 --- /dev/null +++ b/doc/design/assistant/xmpp_security.mdwn @@ -0,0 +1,26 @@ +Currently [[xmpp]] relies on the SSL connection to the server for security. +The server can see git repository data pushed through it. (Also, the SSL +connection is not pinned or really checked well at all.) + +Add an encryption layer that does not rely on trusting the XMPP server's +security. There are a few options for how to generate the key for eg, +AES encryption: + + * Do a simple Diffie-Hellman shared key generation when starting each XMPP + push session. Would not protect the users from active MITM by the + XMPP server, but would prevent passive data gathering attacks from + getting useful data. Since the key is ephemeral, would provide + Forward Security. + * Do D-H key generation, but at pairing, not push time. Allows for an + optional confirmation step, using eg, BubbleBabble to compare the + keys out of band. ("I see xebeb-dibyb-gycub-kacyb-modib-pudub-sefab-vifuc-bygoc-daguc-gohec-kuxax .. do you too?") + * Prompt both users for a passphrase when XMPP pairing, and + use SPEKE (or similar methods like J-PAKE) to generate a shared key. + Avoids active MITM attacks. Makes pairing harder, especially pairing + between one's own devices, since the passphrase has to be entered on + all devices. Also problimatic when pairing more than 2 devices, + especially when adding a device to the set later, since there + would then be multiple different keys in use. + * Rely on the user's gpg key, and do gpg key verification during XMPP + pairing. Problimatic because who wants to put their gpg key on their + phone? Also, require the users be in the WOT and be gpg literate. |