work on miranda-ng for money

[Tragen]

Sounds good. What do you think how long it will take to fix it so you could start with OMEMO?
Think about creating the funding now so we can get enough money for it the next days/weeks.

[sss123next]

can't say exactly, but i think few days.

[Testertime]

ok, i have talked to rest of team, look like no one against omemo, so i will work on it, but now i am working on  implementing "clientlogin" for aim/icq (already paid), so omemo comes next )

Thank you!

Except that Jabber itself is very, very weak… It was born when ICQ was mainstream, but it is unwieldy and lacking many features demanded by modern world

Yeah, it has sadly it's flaws. But ... what is the next best open alternative? Obviously these companies have a huge advantage with their money, and almost every time they don't care about privacy and an open standard and are interested in snooping. It is sadly the same problem like with e-mail. It is so old and has flaws, but who will establish a newer and open-minded standard? Commerical companies most likely not. Especially not in times where people are even using Skype and WhatsApp for highly private and business conversations.

So we need to make the best out of the existing standards. Daniel Gultsch has shown with his effort on the Conversations app and the new HTTP file upload XEP extension that there is a lot of potential to make it much better for everyone. And the situation with Jabber is looking a ton better than it was the case a few years ago.

[sss123next]

about jabber weakness...
from time to time i am thinking about binary efficient protocol with best of xmpp concepts in core, but..., i am to lazy to create it, also i am not good at advertising things to public, so it will be unknown even if i ever implement it...
so for now jabber is the only solution we have
about money, i do not need all at once, it will be ok to be small donations from time to time via different payment systems (via darknets, hidden, secure, unknowm .... ))))) )))

[Vulpix]

how about Tox. Already implemented and supports binary communication. End to end encryption, fully P2P. @ https://tox.chat/

I already bountied/paid one to Unsane (thanks @unsane!) for creating the tox implementation for miranda. Currently working pretty well except for group chats, but those are being worked on.

Bounty @ http://forum.miranda-ng.org/index.php?topic=2487.msg11273#msg11273

[sss123next]

from my point of view, currently tox lacking of offline storage (which may be implemented i think), so contact list can be stored in net, offline messages can be stored, and another related info can be stored in net

[sss123next]

so, aim clientlogin mostly done, few things left to be implemented (it's using non-standart http which is currently impossible to implement via miranda api), i think soon i can start work  with omemo.

[DreamFlasher]

I created a bounty for OMEMO implementation for Miranda here: https://www.bountysource.com/issues/32298989-support-for-omemo-encryption

[sss123next]

thx, it's long delay, but now aim finally working as it should (at least login part) http://trac.miranda-ng.org/changeset/17193/
it taken a bit more time than expected (some changes and fixes in core, not only in aim itself)

so as i promised omemo will come next, i will start working on it in week or so.

[sss123next]

i am ready to start, but first all who want to pay for this should understand few things
1. read this https://conversations.im/xeps/multi-end.html#security
also i have little conversation with this protocol extension creator, and here it is (with permission from him):

Code: [Select]

[16:56:41] sss@dark-alexandr.net: what prevent server from adding one more instance, or swap instance by fake one ?
[16:56:51] sss@dark-alexandr.net: so it can implement classic mitm
[16:56:56] sss@dark-alexandr.net: i mean this:
[16:57:18] andy@strb.org: the same thing. users verifying keys
[16:57:41] andy@strb.org: the XEP clearly states in security considerations, that clients have to prompt the user
[16:57:56] andy@strb.org: so if a new device pops up, it's not just silently accepted. the user has to make a decision about it
[16:59:49] sss@dark-alexandr.net: 1. client connecting to server
2. client publishing omemo info
3. server takes this info into invisible cache
4. server publishing OWN omemo info
5. second client establishing omemo session but not with first client, but with server itself
6. server do the same for second client, so first client establishing session with server too, and not with second client
7. server see all unencrypted data completely undetectable by client
[17:00:14] andy@strb.org: yeah. this is why you have to check the keys yourself
[17:00:25] sss@dark-alexandr.net: ok
[17:00:27] sss@dark-alexandr.net: understand
[17:00:28] andy@strb.org: it's the same as in any other end to end encryption, like PGP or OTR
[17:00:32] andy@strb.org: it's really unfortunte
[17:00:36] sss@dark-alexandr.net: yes
[17:00:37] andy@strb.org: but there's no other wy
[17:00:56] sss@dark-alexandr.net: can i publish this part of our conversation in miranda-ng development forums ?
[17:01:09] andy@strb.org: sure
[17:01:11] sss@dark-alexandr.net: thx
[17:01:25] sss@dark-alexandr.net: so we need to implement warning about all this
[17:01:28] sss@dark-alexandr.net: thank you
so as this extension have automatic key exchange implemented, it will be easy target to attack, so all keys must be at least double checked.

[Tragen]

There is also a plugin for Profanity. Perhaps you can get code/ideas from there.
https://github.com/ReneVolution/profanity-omemo-plugin

[sss123next]

i have read specs and do not like design of key exchange mechanism, it have potential easy to attack flaws, also seems not many peoples wanted this feature ...

[Tragen]

A lot of people want omemo. You are the first who doesn't like the design but all crypto experts say that it is the best protocol
we have.

[sss123next]

it have strictly standartized key echange, and even worse, it controlled by server pubsub module which is perfect place to implement completely automated mitm attack.

[sss123next]

anyway, what about the money ?
unfortunately currently i do not have free time for free, also i do not like omemo itself, it is a right direction of course, and very good what we have new standards moving in right way, but this key exchange part...
i dislike it a lot, and it key concept for omemo to work...