17 06 | 2013

Encryption without a certification layer is (partly) useless

Written by Tanguy

Classified in : Homepage, Debian, Grumble

With the PRISM scandal, there has been some talk about encrypted communication systems. For instance, BitMessage is often introduced as an easy and secure message system, that would allow you to communicate with no possible eavesdropping. Apple is also making similar claims about their systems iMessage and FaceTime.

This is a good time to remind this: without direct contact or a certification layer, encryption systems are not secure! Or at least, not as secure as you would expect, as they do allow some kind of eavesdropping.

Read more Encryption without a certification layer is (partly) useless

01 09 | 2012

XMPPloit explained

Written by Tanguy

Classified in : Homepage, Debian, Jabber

XMPPloit is an exploit tool for a so-called “flaw” in the XMPP protocol. It has been published recently under the GPLv3 license, and has received much comment. However, it does not seem anybody took the time to study this attack and explain it.

Goals

XMPPloit is designed to serve as a transparent man-in-the-middle between an XMPP client and its XMPP server, in order to force the client not to encrypt its communications, so that it is possible to read them and modify them on-the-fly.

That allows to force the client to use a clear text authentication mechanism, to display its login and password, and to modify any message it sends or receives.

Read more XMPPloit explained

Archives