Using encryption over the WhatsApp protocol is likely to be a passive timebomb when their systems are noticing encrypted messages which they can't decrypt secretely at their servers.But they are already using the encryption in their clients. Whatsapp plugin is almost useless right now, because we can't see the encrypted messages coming from the official clients. Encryption implementation is obligatory for whatsapp plugin. Therefore, there no need to send encrypted messages, we only need to decrypt incoming text.
I believe it's important to strengthen open protocols and open software, so OMEMO in conjunction with Jabber is very, very awesome.
ok, i have talked to rest of team, look like no one against omemo, so i will work on it, but now i am working on implementing "clientlogin" for aim/icq (already paid), so omemo comes next )
Except that Jabber itself is very, very weak… It was born when ICQ was mainstream, but it is unwieldy and lacking many features demanded by modern world
[16:56:41] sss@dark-alexandr.net: what prevent server from adding one more instance, or swap instance by fake one ?
[16:56:51] sss@dark-alexandr.net: so it can implement classic mitm
[16:56:56] sss@dark-alexandr.net: i mean this:
[16:57:18] andy@strb.org: the same thing. users verifying keys
[16:57:41] andy@strb.org: the XEP clearly states in security considerations, that clients have to prompt the user
[16:57:56] andy@strb.org: so if a new device pops up, it's not just silently accepted. the user has to make a decision about it
[16:59:49] sss@dark-alexandr.net: 1. client connecting to server
2. client publishing omemo info
3. server takes this info into invisible cache
4. server publishing OWN omemo info
5. second client establishing omemo session but not with first client, but with server itself
6. server do the same for second client, so first client establishing session with server too, and not with second client
7. server see all unencrypted data completely undetectable by client
[17:00:14] andy@strb.org: yeah. this is why you have to check the keys yourself
[17:00:25] sss@dark-alexandr.net: ok
[17:00:27] sss@dark-alexandr.net: understand
[17:00:28] andy@strb.org: it's the same as in any other end to end encryption, like PGP or OTR
[17:00:32] andy@strb.org: it's really unfortunte
[17:00:36] sss@dark-alexandr.net: yes
[17:00:37] andy@strb.org: but there's no other wy
[17:00:56] sss@dark-alexandr.net: can i publish this part of our conversation in miranda-ng development forums ?
[17:01:09] andy@strb.org: sure
[17:01:11] sss@dark-alexandr.net: thx
[17:01:25] sss@dark-alexandr.net: so we need to implement warning about all this
[17:01:28] sss@dark-alexandr.net: thank you
A lot of people want omemo. You are the first who doesn't like the design but all crypto experts say that it is the best protocol
we have.
I would pay if someone looked at/fixed the following:I'm working on that one already, fix is coming. :)
https://github.com/miranda-ng/miranda-ng/issues/609 ( MsgExport's "Export All History" is very slow )
Commit subject
<empty line>
Optional description.
oh guys ... it's a shame, one man has paid for all of you.
That's not quite correct. There are two additional people, including me, who paid here: https://www.bountysource.com/issues/32298989-support-for-omemo-encryption
Unfortunately, that bounty has been closed for to me not understandable reasons. But you should request your money from bountysource.
The only thing is... I tried to get it running, but so far wasn't succesful to have a single Omemo session with your plugin. See the bug report here: https://github.com/miranda-ng/miranda-ng/issues/529#issuecomment-308783899
about bountysource.com - sad, hope you guys have money back.
I believe it is marked as "closed" on BountySource because it was marked as accepted and assigned to you on Trac. But it doesn't mean the money are gone, it's still waiting for your completion of the feature. There is still "Did you solve this issue? [Claim Bounty]" button, so you can use that.thx for info, looks like i figured it out.
I submitted a cash out request. When will I be paid?
Cash out requests are processed every Friday. Any request submitted before the start of Friday (Pacific Time) will be processed.
I chose to be paid in a non-USD currency (e.g. Bitcoin). When will the conversion happen and what is the rate?
Conversions happen in real-time the moment cash out requests are processed by the Bountysource team. Conversions are done by our payment processors, currently Coinbase for BTC and Ripple Trade for XRP.