Using the OTR plugin with Pidgin for verifying GPG public key fingerprints
firasmr786 at gmail.com
Sat Mar 13 12:06:52 CET 2010
On Sat, Mar 13, 2010 at 1:00 PM, Robert J. Hansen <rjh at sixdemonbag.org>wrote:
> > I'm a little confused as to how does that make it any different from
> using the Pidgin OTR method.
> It's a question of degree, not kind.
> > I simply open up an OTR session, ask my friend a question the answer to
> which is secret (only known to him)
> How do you know the secret is known only to him? Most "secrets" really
> aren't; a good investigator can discover an awful lot of "secret"
> information about someone. Shared-secret authentication is one of the
> weakest forms out there. It's better than nothing, but it's not something
> that ought be relied upon. People tend to vastly overestimate how secret
> their secrets are.
> As an example, a few years ago I saw in a spy novel (set in the modern day)
> two protagonists negotiating a phone number over an insecure line. "Hey,
> that guy we know who did X? Take his phone number, subtract this number
> from it. The resulting phone number is what you need to call."
> It sounds great and reliable: it's a shared secret. The problem is it's
> totally bogus. Phone numbers aren't random. In the United States, for
> instance, phone numbers follow the NPA-NXX format. That reduces this
> question down to a glorified Sudoku: a skilled investigator could figure it
> out in just a few minutes.
Thanks for the explanation. Makes sense :-) . I think I understand the
pitfalls much better now.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-users