XMPP Video/VoIP encrypted?
elb at pidgin.im
Thu Jun 14 12:55:09 EDT 2012
Werner Dittmann spake unto us the following wisdom:
> Am 14.06.2012 15:22, schrieb Ethan Blanton:
> > David Woolley spake unto us the following wisdom:
> >> Beeblebrox at cryptolab.net wrote:
> >> It seems to be encryption without authentication, which means it is
> >> vulnerable to man in the middle attacks.
> > Authentication can be handled by the signalling protocol that sets up
> > the RTP stream.
> Yes, but you must make sure that you have secure connections on the
> signalling level and this is not always guaranteed. Depending on the
> authentication method you need support of SIP and/or XMPP servers.
First off, this discussion has gone far enough, there's no need to
continue discussing the finer points of authentication and encryption
via protocols we don't support on the Pidgin support list. This will
be my last email on the topic.
Second, this is misleading-to-untrue. Yes, depending on the method
you use, you may need support of the servers. However, no reasonable
end-to-end method in either of these specific protocols will require
server support, as both protocols support application-specific data
exchange between peers. In the case of XMPP, no support is required
from the server whatsoever for V/V to begin with, much less for
* Pidgin does not support ZRTP, but there is no fundamental reason it
could not do so. An interested developer could add ZRTP support to
farstream or libpurple or whatever; farstream would get it to a
wider audience, no doubt.
* ZRTP does not handle key exchange and authentication because the
session initiation protocol does so on its behalf.
* Neither XMPP nor SIP requires active server participation in
encrypted V/V, although there may be some benefits that could be
derived from server involvement (particularly where NATs and
firewalls get involved). I suspect on the XMPP side that IBB et al.
are plenty sufficient, however, and no specific server involvement
So ... it would be awesome if someone wanted to work on this. As far
as I know, no active Pidgin developer is doing so. Bonus points for
tie-in with GPG, OTR, S/MIME, or other authentication mechanisms
already in use.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 482 bytes
Desc: Digital signature
More information about the Support