4

I am developing some pubsub system on top of Node.js and Socket.io. I decided to implement Off-The-Record (OTR) encryption by default for all of data transfers between clients and server(s). Question is do I need to additionally connect classic certificates to be sure even OTR ask queries will be encrypted?

If it will be good idea to connect both of OTR and SSL, what one must cover other? I mean do I need to encrypt traffic firstly with cert and then send it between clients by using OTR for securing it twice or I need to use OTR first and then just encrypt the whole traffic with and possibly without OTR (like handshake requests and else like that)?

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
John Smith
  • 41
  • 1
  • though it's not needed, SSL won't hurt, and could help CYA in case you make an implementation mistake. – dandavis Jul 17 '16 at 12:35

1 Answers1

1

Question is do I need to additionally connect classic certificates to be sure even OTR ask queries will be encrypted?

As long as you implement OTR correctly using libotr or the specifications, you do not have to deal with classic certificates from PKI. OTR operates using the TOFU model, with the optinal ability to verify another's fingerprint through an external channel.

If it will be good idea to connect both of OTR and SSL, what one must cover other?

TLS operates on top of the TCP layer. Any arbitrary TCP traffic can be encrypted using TLS, as it is completely format-agnostic. OTR on the other hand is designed to encrypt printable characters and convert it to plain ASCII. It is not even possible to put OTR over TLS, since OTR takes text as an input and spits out base64 ASCII as an output. Have TLS encrypt the OTR stream if you do this.

forest
  • 64,616
  • 20
  • 206
  • 257