[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] pidgin and tor

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] pidgin and tor
From: coderman <coderman@xxxxxxxxx>
Date: Thu, 8 Oct 2015 19:53:02 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 08 Oct 2015 22:53:17 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=fGPPmsuxpj7QFO77sQ2GBiCou70I0rds/85AtZNL7JY=; b=Rx+FhbhnWSib1/b/2k8kDMnt54Z+9XjVOwA99yVzHUz0DHq3amHUueiURDSxcOASjk uK7qoXeMYPNMXBFj9Wvc/FlzlvDg5qX3qOAYwfGKygf78Gj8zBhudlC8e7mIzVJr4RIW b5g4Kr1n7znZjhIxKYZV6eRKbWLZzss9o1XbJuMODRrKAwZtYbfAitE6tBpkmlIWSxDt jyBQwcvQlzbZY3zbCHc8pT33JxCZaSz3pZBDcDCOkiYIVI/bTSt4IgmUrAZDZ817/yPi TDGAY/i4aualhwrOWF/MFtvfd7NNZEJm9lJdsFmw0ZT2NMgsT/OtetuUdG3ow5zaSkzn 9CMA==
In-reply-to: <20151008191015.GC30048@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <5609B662.8010702@xxxxxxxxxxxxx> <560A62FD.7070308@xxxxxxxxxxxx> <829658081.4249.1443539214512.JavaMail.open-xchange@ox1app> <560B1BEF.20203@xxxxxxxxxxxxx> <CAJVRA1T_7RJEHQv9wcbTwSnv+05cKxE2TmRUYa08oTRYPDddeA@xxxxxxxxxxxxxx> <20151008191015.GC30048@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On 10/8/15, sh-expires-12-2015@xxxxxxxxxxxxxxxx
<sh-expires-12-2015@xxxxxxxxxxxxxxxx> wrote:
> ....
> One of the major problems is the design of Pidign, which tries
> to build a convenient IM client before it takes security into
> consideration

"security vs. usability", as ever...

> Still, it is possible to a achieve a high degree of privacy.
> The amount of "security" will vary and depend on many factors.
>
> A vm is none of them:
> Confining it, doesn't make it more secure, and it mitigates nothing in
> pidgin or libpurple. A broken IM client is still broken, even when
> confined (I am tempted to say buried) in a VM.

consider the Tor Browser PDF exploit that accessed $HOME for keys and other.

if Tor Browser (and Pidgin) are isolated from each other, this $HOME
type attack of reduced risk.

one example.

> If OP has to rely on an IM, like pidgin or a protocol, there is no more
> or added "security" by putting it into a vm or container.
> All he gains is isolation in a best case scenario.

do you not see the benefit in isolating applications at risk of rogue
remote execution?

i agree it is not the only security measure, nor the most important.
but it is useful, and that is why i mention it. more useful would be
using a secure client, but, again, usability.

> Honestly, let's recommend a more secure implemenation
> of the protocol OP wishes to use and educate OP how to use it in
> a manner, that neither privacy and anonymity of the involved parties
> are compromised and the authenticity of the exchanged messages is given.

i disagree with this approach. make the secure usable. don't force
users to adapt to "secure".

> Using Tor with Pidgin, we are at a disadvantage...
> If security is a result of good design, good design is when there
> is nothing left to remove and the design is still secure.

so, you're going to design and implement a usable, secure chat and presence?
:)

> Contrary to the popular misconception, that security is some kind of
> fairydust, product or duct-tape that we can apply to protocols or software
> afterwarts.

actually, i saw this Kickstarter the other day...  ;P

best regards,
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] pidgin and tor
  - From: sh-expires-12-2015@xxxxxxxxxxxxxxxx

References:
- Re: [tor-talk] pidgin and tor
  - From: coderman
- Re: [tor-talk] pidgin and tor
  - From: sh-expires-12-2015@xxxxxxxxxxxxxxxx

Prev by Author: Re: [tor-talk] pidgin and tor
Next by Author: Re: [tor-talk] Question
Previous by thread: Re: [tor-talk] pidgin and tor
Next by thread: Re: [tor-talk] pidgin and tor
Index(es):
- Author
- Thread