[liberationtech] security aspects of OpenQwaq

Tue Jun 18 06:28:05 PDT 2013

The claim of end to end encryption give me pause, although I'm also not
clear on the differences between the products and which claim applies to
which.  Do they claim the other end is them the provider, or the other user?

It gives me pause because
1) They say they use SSL with CA certs.  But if Joe the user is an end, how
do they give him a public CA cert?
2) Multiparty end to end encryption is... mpOTR (to some extent, it
probably doesn't have PFS or repudiation).  That's a hard problem.  Not
saying they couldn't have solved it or made good progress on it, but I am
saying I think every cryptographer in this space would be extremely
interesting looking at the protocol.

(I also don't care for the smaller trend of "Free but insecure or pay us
for secure!")

-tom

On Jun 17, 2013 10:46 AM, "Eugen Leitl" <eugen at leitl.org> wrote:

>
> OpenQwaq is potentially a useful tool for collaboration,
> especially multimedia (webcam streaming to avatar face,
> audio (best with USB headset) with ability to
> instantiate rooms) -- I've seen it scale to
> groups or 50+ partipants. Collaborative editing is
> available.
>
> Disclosure: no commercial relation to 3D ICC, just a
> happy user of their hosted services.
>
> ----- Forwarded message from Ron Teitelbaum <ron at 3dicc.com> -----
>
> Date: Mon, 17 Jun 2013 10:34:41 -0400
> From: Ron Teitelbaum <ron at 3dicc.com>
> To: openqwaq at googlegroups.com
> Subject: RE: security aspects of OpenQwaq
> X-Mailer: Microsoft Outlook 14.0
> Reply-To: openqwaq at googlegroups.com
>
> Hi Eugen,
>
>
>
> OpenQwaq uses ARC4 for encryption.  All data end to end is encrypted over a
> single port connection.
>
>
>
> 3D ICC's Immersive Terf T uses SSL for encryption.  It's basically the same
> model but we've improved it for, security, performance and reliability.
>
>
>
> All encrypted traffic is susceptible to MITM.  SSL helps this considerably
> by using public certificate authorities to verify the certificates.  The
> trick is to ensure that your DNS is accurate and that all certificates are
> verified.
>
>
>
> The open source version of OpenQwaq on the other hand is encrypted without
> certificates.
>
>
>
> In either case MITM would leave some significant performance foot prints
> (this could be improved using hardware) and it would take some engineering
> to understand our overlay network protocols to make the data useful for an
> attacker.
>
>
>
> Are you safe from hackers?  Yes I would say that MITM is very unlikey for
> both OpenQwaq and TerfT.
>
>
>
> Are you safe from Governments?  No.  Unlimited access to resources and
> direct internet filtering could in theory attack the connection using MITM
> by subverting DNS, using hardware proxies, and forwarding to the server.
>
>
>
> How safe is it?  We have been reviewed by the Federal Reserve Bank in New
> York and were allowed to have our software installed internally.  We have
> been used by every branch of the military (except the Marines, why I have
> no
> idea, except maybe because the Navy used it).  We have had significant
> pentration testing done by some of the largest financial institutions and
> corporations in the world and have passed.   I would say that this puts us
> in the upper categories of safeness but still below top secret grade*.
>
>
>
> Hope that helps.
>
>
>
> All the best,
>
>
>
> Ron Teitelbaum
>
> Head Of Engineering
>
> 3d Immersive Collaboration Consulting
>
>  <mailto:ron at 3dicc.com> ron at 3dicc.com
>
> Follow Me On Twitter:  <https://twitter.com/RonTeitelbaum> @RonTeitelbaum
>
>  <http://www.3dicc.com/> www.3dicc.com
>
>
> <
> https://plus.google.com/u/0/b/108936249366287171125/108936249366287171125/p
> osts> 3d ICC on G+
>
>
>
> * if your organization is interested sponsoring an improvement to our level
> of our security, 3D ICC is ready, willing and able to improve our security
> using Common Criteria and Military Information Assurance standards.  We can
> use data centers with certifications in SSAE16 SOC-1 Type II, Federal
> Information Security Management Act (FISMA), DoD Information Assurance
> Certification and Accreditation Process (DIACAP).  We would be very happy
> to
> work with you and your organization to meet your security needs.  For more
> information contact us at info at 3dicc.com.
>
>
>
>
>
> > -----Original Message-----
>
> > From: openqwaq at googlegroups.com [mailto:openqwaq at googlegroups.com]
>
> > On Behalf Of Eugen Leitl
>
> > Sent: Monday, June 17, 2013 9:11 AM
>
> > To: openqwaq at googlegroups.com
>
> > Subject: security aspects of OpenQwaq
>
> >
>
> >
>
> > What's the security model of OpenQwaq?
>
> >
>
> > How secure is the communication model against passive sniffing?
>
> >
>
> > Active traffic manipulation (MITM)?
>
> >
>
> > --
>
> > You received this message because you are subscribed to the Google Groups
>
> > "OpenQwaq Forum" group.
>
> > To unsubscribe from this group and stop receiving emails from it, send an
> email
>
> > to  <mailto:openqwaq+unsubscribe at googlegroups.com>
> openqwaq+unsubscribe at googlegroups.com.
>
> > For more options, visit  <https://groups.google.com/groups/opt_out>
> https://groups.google.com/groups/opt_out.
>
> >
>
> >
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "OpenQwaq Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to openqwaq+unsubscribe at googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
> ----- End forwarded message -----
> --
> Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
> ______________________________________________________________
> ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
> AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130618/451dbcdf/attachment.html>