Using the OTR plugin with Pidgin for verifying GPG public key fingerprints

[erythrocyte]

On Sat, Mar 13, 2010 at 1:00 PM, Robert J. Hansen <rjh at sixdemonbag.org>wrote:

> > I'm a little confused as to how does that make it any different from
> using the Pidgin OTR method.
>
> It's a question of degree, not kind.
>
> > I simply open up an OTR session, ask my friend a question the answer to
> which is secret (only known to him)
>
> How do you know the secret is known only to him?  Most "secrets" really
> aren't; a good investigator can discover an awful lot of "secret"
> information about someone.  Shared-secret authentication is one of the
> weakest forms out there.  It's better than nothing, but it's not something
> that ought be relied upon.  People tend to vastly overestimate how secret
> their secrets are.
>
> As an example, a few years ago I saw in a spy novel (set in the modern day)
> two protagonists negotiating a phone number over an insecure line.  "Hey,
> that guy we know who did X?  Take his phone number, subtract this number
> from it.  The resulting phone number is what you need to call."
>
> It sounds great and reliable: it's a shared secret.  The problem is it's
> totally bogus.  Phone numbers aren't random.  In the United States, for
> instance, phone numbers follow the NPA-NXX format.  That reduces this
> question down to a glorified Sudoku: a skilled investigator could figure it
> out in just a few minutes.
>


Thanks for the explanation.  Makes sense :-) . I think I understand the
pitfalls much better now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20100313/fb9cb36e/attachment-0001.htm>