XMPP

316 readers

7 users here now

XMPP (aka Jabber) is the community-owned standard for real-time federated messaging.

For a quick start click here

JoinJabber.org support chat

JoinJabber.org admin support chat

XMPP.net Provider List

Also see JoinJabber.org FAQ

founded 1 year ago

MODERATORS

[email protected]

Dhole Moments: Against XMPP+OMEMO - Dhole Moments (soatok.blog)

submitted 3 months ago by [email protected] to c/[email protected]

12 comments fedilink hide all child comments

This blog post, and some of its comments are pretty interesting and concerning at the same time. Not really sure if in the end that means that nothing other than centralized controlled messaging can be as cryptography safe.

Any comments?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 6 points 3 months ago* (last edited 3 months ago) (8 children)

Despite the strong opinions expressed, they didn't actually find any real issues?

It's clear that they have no objections against the latest version of OMEMO (which is very similar to Signal's e2ee anyways), and the problem with the earlier version is more theoretical in nature. But yes, it would be nice if more clients would upgrade to OMEMO v0.8, but at least for Conversations there are some upstream library deficiencies that make it hard to do so.

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago) (7 children)

Well, there is something mentioned about latest version of omemo:

OMEMO doesn’t attempt to provide even the vaguest rationale for its design choices, and appears to approach cryptography protocol specification with a care-free attitude.

To put it mildly, this is the wrong way to approach cryptography

...

Because there is no rationale given for this sudden square-root reduction in security against existential forgery attacks, we kind of have to fill in the gaps and assume it was because of some kind of performance or bandwidth considerations.

But even that doesn’t really justify it, does it?

You’re only saving 16 bytes of bandwidth by truncating the MAC. Meanwhile, the actual ciphertext blobs are being encoded with base64, which adds 33% of overhead.

For any message larger than 48 bytes, this base64 encoding will dominate the bandwidth consumption more than using the full HMAC tag would.

...

Is truncating the HMAC tag to to 128 bits still secure? According to Signal, yes, it is. And I offer no disagreement to Signal’s assessment here.

The problem is, as I’ve said repeatedly, OMEMO’s specification makes no attempt to justify their design decisions.

Then on one of the comments, there's an interesting comment on something signal has mentioned it's working on quantum resistance, that it's no clear is something omemo will support, and even less when clients might adopt if eventually available:

Indeed quite often someone compares the two protocols and implies OMEMO is as mature as the current state of the art Signal protocol. Allow me to throw in the emerging post-quantum support that Signal is adding or already has in libsignal.

Somehow is implied on the comment that omemo is immature compared to libsignal...

At any rate, dino uses libsignal-protocol-c (on Artix/Arch 2.3.3), not libomemo, and conversations uses libaxolotle-java (according to the "about" section in the settings). So somehow using signal library underneath. Although I have no idea how up to date with regards to the signal library those might be (though the axolotl dependency on conversations allows to think it's outdated). And for conversations the author mentions:

To be clear: These aren’t separate dependencies that Conversations pulls in to implement plugin supports. They’re first-party cryptographic implementations all within this Android app’s codebase.

I guess by 1st party the author means like copy/paste the code (with local twists, which might be dangerous but perhaps necessary) to have a local version of the libraries. This sounds like a non version related criticism, but it's client related rather than protocol related, however the author mentions other clients are way worse, leaving no hope...

I don't see on dino an option to always use omemo BTW, not sure if dino just it implies omemo by default, but it doesn't have a way to force it. Perhaps a feature to ask dino developers...

At any rate, according the post there's little hope for xmpp + omemo. Which was actually something I was still hoping for, well, besides getting jami working at some point (but it has crypto issues on its own, including lack of auditing).

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago) (6 children)

I don't find "the change-log lacks detail" to be a serious critique. That's just grasping for straws to support a preconceived opinion.

As for "post-quantum" encryption... I have a hard time taking people serious that use such buzz-words, when quantum computing is still largely a theoretical concept with no real-world application. Sure, it's worth researching cryptographic concepts that are resilient to this hypothetical attack, but everyone that peddles that stuff today in e2ee messengers is a snake-oil vendor.

As for mandatory e2ee, let's just say that opinions differ on that, and it's not a valid critique of the security of a messenger whether nor not it enforces e2ee. I personally prefer choice with good defaults.

[–] [email protected] 1 points 3 months ago

I see, thanks !

load more comments (5 replies)