Difference between pages "XMPP E2E Security" and "Conferences/FOSDEM 2019"

From XMPP WIKI
(Difference between pages)
Jump to navigation Jump to search
 
 
Line 1: Line 1:
This page aims to provide an overview, comparison and evaluation of existing and proposed end-to-end security solutions for XMPP, after providing the characteristings of the XMPP setting with regard to communication and the security of it.
= Introduction =
FOSDEM 2019 (the [http://www.fosdem.org Free and Open Source Software Developers' Europe Meeting]) will take place on Saturday, February 2 and Sunday, February 3, 2019 in Brussels, Belgium.


= Proposals =
Anyone applying to [https://fosdem.org/2019/schedule/#lightningtalks Lightning Talks], or otherwise planning for any involvement? Please leave details on this wiki page!


== XEP-0384: OMEMO Encryption (Signal / Text Secure) ==
FOSDEM 2019 will be preceded by [[Summit 23|XMPP Summit 23]].


'''Recommendation:''' Implement.
'''The XSF needs your help to make FOSDEM a success!'''
= Who will be there =
The following people plan to be there in person.


OMEMO is based on the Signal double ratchet and provides forward secrecy, compatibility with history retrieval for devices that are already part of the ratchet, and a number of other benefits over legacy encryption mechanisms. It has had an independent third party audit (see related links at bottom).
{| class="wikitable sortable"
! Given name
! Family name
! Nickname
|-
| Paul
| Schaub
| vanitasvitae
|-
| Guus
| der Kinderen
| guus
|-
| Maxime
| Buquet
| [[User:pep.|pep.]]
|-
|}


== XEP-0373: OpenPGP for XMPP / XEP-0374: OpenPGP for XMPP Instant Messaging ==
= Hotel =
'''Work in progress'''


'''Recommendation:''' Exploratory implementations are encouraged.
= Submitted Talks =
 
{| class="wikitable"
The OpenPGP for XMPP (OX) specification currently consists of a baseline specification: [https://xmpp.org/extensions/xep-0373.html XEP-0373] and a profile for Instant Messaging specification [https://xmpp.org/extensions/xep-0374.html XEP-0374]. It is under active development and thus subject to change although can be considered pretty stable regarding most parts.
! Track
 
! Name
OX attempts to fix the various security design flaws of XEP-0027, and additionally specifies features like "arbitrary extension element" verification and protection.
! Title
 
! Description
Implementations are available for Gajim and Smack, and have been successfully tested against each other for interoperability.
! Time
 
|- style="vertical-align: top;"
== XEP-0027 (Legacy OpenPGP) ==
! Real Time Communications (RTC) devroom
 
! JC Brand
'''Recommendation:''' Do '''not implement''', as the specification has [https://xmpp.org/extensions/xep-0027.html#security serious security issues].
! Converse: Open, federated teamchat with XMPP
!
! Sunday 2019-02-03, 14:00
|}


One of the first proposals for end-to-end security is based on [http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] and described in [http://xmpp.org/extensions/xep-0027.html XEP-0027].


The way XEP-0027 uses PGP, it doesn't provide protection from replay attacks. It also only encrypts messages and doesn't sign them, so they could be replaced with different correctly encrypted messages on the wire.[http://logs.xmpp.org/xsf/140301/#11:22:52 (Source: chat in xsf@m.x.o)] Thus it has been obsoleted by the XMPP Council in it's [http://logs.xmpp.org/council/2014-03-12/#16:08:19 meeting on 2014-03-12].
----


== OTR (Off-the-record Messaging) ==


'''Recommendation:''' do not implement unless compatibility with legacy clients is required.
{|
.
|+ SCAM metadata
 
[https://otr.cypherpunks.ca/ OTR] is a crypto protocol, specifically designed to secure instant messaging conversations. Its usage in XMPP is documented (but not standardized) in https://xmpp.org/extensions/xep-0364.html
 
= Comparative Overview =
{| class="wikitable" style="text-align: center;"
|-
|-
!rowspan="2" |Proposal
! Event on wiki main page (under 'upcoming events')?
!colspan="5" |Security property
| No
!colspan="2" |Communication patterns
!colspan="3" |Compatibility with XMPP
|-
|-
![https://en.wikipedia.org/wiki/Digital_signature#Authentication Authenticity]
! Announced on mailing list?
![https://en.wikipedia.org/wiki/Information_security#Integrity Integrity]
| No
![https://en.wikipedia.org/wiki/Encryption Encryption]
![https://en.wikipedia.org/wiki/Forward_secrecy Forward secrecy]
![https://en.wikipedia.org/wiki/Malleability_(cryptography) Malleability]
!One-to-One
!Groupchat
!Offline messages
!Multiple resources
!Discovery of support
|-
|-
|OMEMO (XEP-0384)
! Event on XSF Shared Calendar?
|Yes
| No
|Except in the case of a malicious authenticated device
|Yes
|Yes
|By authenticated devices
|Yes
|Yes (Non-anonymous only)
|Yes
|Yes
|Yes
|-
|-
|XEP-0374: OpenPGP for XMPP Instant Messaging
! Twitter announcement
|Yes
| None yet
|Yes
|Yes
|No
|N/A
|Yes
|Possible and planned, but currently unspecified
|Yes
|Yes
|Yes
|-
|-
|Legacy PGP (XEP-0027)
! Blogpost announcement
|No (messages only encrypted, not signed)
| None yet
|No
|Yes
|No
|N/A
|Yes
|No
|Yes
|Yes (if same keypair at all resources)
|No
|-
|-
|OTR
! Blogpost wrapup
|Yes
| None yet
|Yes
|Yes
|Yes
|Yes
|Yes
|No
|No
|No
|No
|}
|}


= Related Documents =
[[Category:SCAM]]
* https://developer.pidgin.im/wiki/EndToEndXMPPCrypto
* http://trevp.net/talk_2014_04_02.pdf
* https://conversations.im/omemo/audit.pdf
 
= Discussion =
If you have any questions or comments regarding this page, please [xmpp:xsf@muc.xmpp.org?join join the XSF chatroom at xsf@muc.xmpp.org].
 
= Abandoned and Legacy E2EE specifications =
 
Those specifications are very likely not relevant any more. They are listed here only for the sake of completeness.
 
== draft-miller-xmpp-e2e ==
 
https://datatracker.ietf.org/doc/draft-miller-xmpp-e2e/
 
== ESessions ==
 
https://xmpp.org/extensions/xep-0187.html
https://xmpp.org/extensions/xep-0188.html

Revision as of 11:19, 8 January 2019

Introduction

FOSDEM 2019 (the Free and Open Source Software Developers' Europe Meeting) will take place on Saturday, February 2 and Sunday, February 3, 2019 in Brussels, Belgium.

Anyone applying to Lightning Talks, or otherwise planning for any involvement? Please leave details on this wiki page!

FOSDEM 2019 will be preceded by XMPP Summit 23.

The XSF needs your help to make FOSDEM a success!

Who will be there

The following people plan to be there in person.

Given name Family name Nickname
Paul Schaub vanitasvitae
Guus der Kinderen guus
Maxime Buquet pep.

Hotel

Work in progress

Submitted Talks

Track Name Title Description Time
Real Time Communications (RTC) devroom JC Brand Converse: Open, federated teamchat with XMPP Sunday 2019-02-03, 14:00




SCAM metadata
Event on wiki main page (under 'upcoming events')? No
Announced on mailing list? No
Event on XSF Shared Calendar? No
Twitter announcement None yet
Blogpost announcement None yet
Blogpost wrapup None yet