[liberationtech] WebRTC - voice authentication to the rescue

[carlo von lynX]

On Thu, Jan 23, 2014 at 11:58:28AM -0800, Tony Arcieri wrote:
> ZRTP authentication works by negotiating what's called a "short
> authentication string" between peers. If there's no MitM, both sides will
> see the same string.
> 
> To authenticate, you start a voice/video call. You will see the person
> you're expecting, but at this point the link is insecure and may be MitMed.
> 
> However, Alice can read off the Short Authentication String to Bob. Short
> of fancy realtime video editing and voice impersonators, the string will be
> incorrect if the connection is being MitMed.

Alright, that is a nifty approach to handling the problem. Two questions
remain.. will implementations like Chrome care to show such string on the
screen and will a sufficient number of people do such a check.

> Once this has been done successfully once, ZRTP stores some "continuity
> data" so the next time you authenticate to the same person, the previous
> authentication will ensure future connections are secured.

In web architecture people usually have no identity, the identity is
defined by the server. Is ZRTP introducing a way to identify web browsers
persistently? Will the browser vendors like that? If it only happens once
both sides have ack'd that they intend to have a conversation, then I
guess it's okay to do this.

Somewhat opportunistic approach, but indeed better than Skype. Now we
just need to get people to use free and reproducible implementations
rather than binaries that can be shot at as you download them - but
that's a general problem with the current Internet.

Thanks Tony, you restored a bit of hope in WebRTC. But please ensure that
this culture of checking authentications is actually coming along with it.

-- 
	    http://youbroketheinternet.org
 ircs://psyced.org/youbroketheinternet