New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

offline message end-to-end encryption via AGP #83

Closed
hmeyer opened this Issue Nov 22, 2012 · 18 comments

Comments

Projects
None yet
9 participants
@hmeyer

hmeyer commented Nov 22, 2012

Security is essential for mobile instant messaging. While OTR is very common in Jabber implentations nowadays it is quite impractical in a mobile environment. In those environments network connections aren't stable, IPs change, partys become offline from time to time.
As OTR needs both partys online for direct handshake OTR won't work flawlessly in such environments.
One solution might be to give up some of the nice additional privacy properties of OTR and switch back to simply Public Key Crypto. Therefore:

Please integrate AGP (http://thialfihar.org/projects/apg/) into Yaxim. Make Yaxim the first working secure mobile messenger!

@mentago

This comment has been minimized.

mentago commented Nov 23, 2012

I am very greate pleasure to take part in the AGP~ How to participate?

2012/11/23 Henning Meyer notifications@github.com

Security is essential for mobile instant messaging. While OTR is very
common in Jabber implentations nowadays it is quite impractical in a mobile
environment. In those environments network connections aren't stable, IPs
change, partys become offline from time to time.
As OTR needs both partys online for direct handshake OTR won't work
flawlessly in such environments.
One solution might be to give up some of the nice additional privacy
properties of OTR and switch back to simply Public Key Crypto. Therefore:

Please integrate AGP (http://thialfihar.org/projects/apg/) into Yaxim.
Make Yaxim the first working secure mobile messenger!


Reply to this email directly or view it on GitHubhttps://github.com//issues/83.

@hmeyer

This comment has been minimized.

hmeyer commented Nov 23, 2012

I guess it's fork, implement and publish git-pull requests.
First of all we would need to select a number of pgp-capable Jabber-Clients, which we can use for testing our implementation. As far as I know Psi should be PGP-capable, although I never tried to use it.

@mentago

This comment has been minimized.

mentago commented Nov 23, 2012

sorry~ I can not quite follow you~

2012/11/23 Henning Meyer notifications@github.com

I guess it's fork, implement and publish git-pull requests.
First of all we would need to select a number of pgp-capable
Jabber-Clients, which we can use for testing our implementation. As far as
I know Psi should be PGP-capable, although I never tried to use it.


Reply to this email directly or view it on GitHubhttps://github.com//issues/83#issuecomment-10650298.

@untitaker

This comment has been minimized.

untitaker commented Nov 23, 2012

I think OTR support would be way more useful in practice, since it has a larger user base.

@ge0rg

This comment has been minimized.

Collaborator

ge0rg commented Jan 15, 2013

OTR is already requested in #82, I will comment on that there. What is needed in the XMPP message format to indicate PGP encryption at work?

@hmeyer

This comment has been minimized.

hmeyer commented Jan 16, 2013

@untitaker I disagree. OTR is not made for unreliable (e.g. mobile) networks. See @ge0rg post in #82.

@untitaker

This comment has been minimized.

untitaker commented Jan 16, 2013

@hmeyer I didn't say OTR would be a technically better solution (i don't know about that)

@hmeyer

This comment has been minimized.

hmeyer commented Jan 16, 2013

@untitaker I doubt it even would be more useful. Because OTR just doesn't work in mobile networks.

@doits

This comment has been minimized.

doits commented Jan 19, 2013

there's also an AIDL-Branch of APG. I could try to get this merged into mainline of APG if you prefered to use this way to communicate with APG. Encrypting strings (messages sent by yaxim) is easy with it (with public/private keys or passwords).

@ge0rg

This comment has been minimized.

Collaborator

ge0rg commented Jan 19, 2013

Check also this fork, it seems to be still under development.

I would prefer a solution that uses Intents to the APG app, not one that carries the whole code within yaxim.
Also, it should integrate with a version of APG that is available via Google Play, for the easiest user experience. I would not mind putting my own fork on Google Play for that, but I did not manage to compile the dschuermann code so far.

@doits

This comment has been minimized.

doits commented Jan 19, 2013

I would prefer a solution that uses Intents to the APG app, not one that carries the whole code within yaxim

AIDL does exactly this: It is just an interface to APG to call from external programs. Basically an API to access APG from anywhere with simple (async) function calls. (Intents can provide something similar afaik, but I found AIDL easier to implement when I developed a programm some years ago).

Check also this fork, it seems to be still under development.

I see an AIDL interface is noted there in readme, too. I'm not sure what's exaclty new about this fork (or is it simply developing APG further, because main development stalled?).

@ge0rg

This comment has been minimized.

Collaborator

ge0rg commented Jan 19, 2013

  • Markus Doits notifications@github.com [2013-01-19 14:51]:

    AIDL does exactly this: It is just an interface to APG to call from external programs.

Ok, I am fine with this. So far I only used AIDL for app-internal services, therefore the misunderstanding. Feel free to add support! :)

I see an AIDL interface is noted there in readme, too. I'm not sure what's exaclty new about this fork (or is it simply developing APG further, because main development stalled?).

I suppose it is doing further development, like an improved UI. Not sure if it is maintaining API compatibility, at least I could not find the new version on Google Play - therefore I would suggest providing compatibility with the official release, even if it is outdated.

@hmeyer

This comment has been minimized.

hmeyer commented Feb 21, 2013

@kevincox

This comment has been minimized.

kevincox commented Jul 18, 2013

Just adding that Gajim has support for GPG as well so that would be good for testing.

@sbriskin

This comment has been minimized.

sbriskin commented Dec 15, 2013

There are no any changes on this issue for a long time. Hope you'll not forget about it. OTR works terrible on most clients. With SSL, if the latest news about NSA are true, there is no secure data transfer between clients and servers, so GPG is realy needed. I hope yaxim would be the first mobile client that could make our talks really secure.

@jplitza

This comment has been minimized.

jplitza commented May 3, 2014

XEP 0027 has been obsoleted by the XMPP Council in its 2014-04-12 meeting because it's massively flawed (only encryption, no signing, no replay-attack protection), see XMPP E2E Security.

You might want to reconsider its implementation.

@dschuermann

This comment has been minimized.

dschuermann commented May 3, 2014

If you still want to implement some sort of PGP support, consider using our new API. See https://github.com/open-keychain/open-keychain/wiki/OpenPGP-API

@ge0rg

This comment has been minimized.

Collaborator

ge0rg commented May 20, 2014

It seems like there remains no usable specification for OpenPGP integration in XMPP clients. I will close this issue for now, until a new XEP emerges for that, or until DTLS-SCTP provides sufficient maturity to be a full replacement.

@ge0rg ge0rg closed this May 20, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment