[liberationtech] security aspects of OpenQwaq

Eugen Leitl eugen at leitl.org
Mon Jun 17 07:46:23 PDT 2013 

OpenQwaq is potentially a useful tool for collaboration, 
especially multimedia (webcam streaming to avatar face,
audio (best with USB headset) with ability to
instantiate rooms) -- I've seen it scale to
groups or 50+ partipants. Collaborative editing is 
available.

Disclosure: no commercial relation to 3D ICC, just a
happy user of their hosted services.

----- Forwarded message from Ron Teitelbaum <ron at 3dicc.com> -----

Date: Mon, 17 Jun 2013 10:34:41 -0400
From: Ron Teitelbaum <ron at 3dicc.com>
To: openqwaq at googlegroups.com
Subject: RE: security aspects of OpenQwaq
X-Mailer: Microsoft Outlook 14.0
Reply-To: openqwaq at googlegroups.com

Hi Eugen,

 

OpenQwaq uses ARC4 for encryption.  All data end to end is encrypted over a
single port connection. 

 

3D ICC's Immersive Terf T uses SSL for encryption.  It's basically the same
model but we've improved it for, security, performance and reliability.  

 

All encrypted traffic is susceptible to MITM.  SSL helps this considerably
by using public certificate authorities to verify the certificates.  The
trick is to ensure that your DNS is accurate and that all certificates are
verified.  

 

The open source version of OpenQwaq on the other hand is encrypted without
certificates.  

 

In either case MITM would leave some significant performance foot prints
(this could be improved using hardware) and it would take some engineering
to understand our overlay network protocols to make the data useful for an
attacker.

 

Are you safe from hackers?  Yes I would say that MITM is very unlikey for
both OpenQwaq and TerfT.

 

Are you safe from Governments?  No.  Unlimited access to resources and
direct internet filtering could in theory attack the connection using MITM
by subverting DNS, using hardware proxies, and forwarding to the server.

 

How safe is it?  We have been reviewed by the Federal Reserve Bank in New
York and were allowed to have our software installed internally.  We have
been used by every branch of the military (except the Marines, why I have no
idea, except maybe because the Navy used it).  We have had significant
pentration testing done by some of the largest financial institutions and
corporations in the world and have passed.   I would say that this puts us
in the upper categories of safeness but still below top secret grade*.

 

Hope that helps.

 

All the best,

 

Ron Teitelbaum

Head Of Engineering

3d Immersive Collaboration Consulting

 <mailto:ron at 3dicc.com> ron at 3dicc.com

Follow Me On Twitter:  <https://twitter.com/RonTeitelbaum> @RonTeitelbaum

 <http://www.3dicc.com/> www.3dicc.com 

 
<https://plus.google.com/u/0/b/108936249366287171125/108936249366287171125/p
osts> 3d ICC on G+

 

* if your organization is interested sponsoring an improvement to our level
of our security, 3D ICC is ready, willing and able to improve our security
using Common Criteria and Military Information Assurance standards.  We can
use data centers with certifications in SSAE16 SOC-1 Type II, Federal
Information Security Management Act (FISMA), DoD Information Assurance
Certification and Accreditation Process (DIACAP).  We would be very happy to
work with you and your organization to meet your security needs.  For more
information contact us at info at 3dicc.com. 

 

 

> -----Original Message-----

> From: openqwaq at googlegroups.com [mailto:openqwaq at googlegroups.com]

> On Behalf Of Eugen Leitl

> Sent: Monday, June 17, 2013 9:11 AM

> To: openqwaq at googlegroups.com

> Subject: security aspects of OpenQwaq

> 

> 

> What's the security model of OpenQwaq?

> 

> How secure is the communication model against passive sniffing?

> 

> Active traffic manipulation (MITM)?

> 

> --

> You received this message because you are subscribed to the Google Groups

> "OpenQwaq Forum" group.

> To unsubscribe from this group and stop receiving emails from it, send an
email

> to  <mailto:openqwaq+unsubscribe at googlegroups.com>
openqwaq+unsubscribe at googlegroups.com.

> For more options, visit  <https://groups.google.com/groups/opt_out>
https://groups.google.com/groups/opt_out.

> 

> 

 

-- 
You received this message because you are subscribed to the Google Groups "OpenQwaq Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openqwaq+unsubscribe at googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.



----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the liberationtech mailing list