2

Using RedPhone (the right way), one would call, establish a connection and read off the text verification on screen to the other party. If they match, it's ZRTP-secure, if it doesn't it's MITM'd.

Why can we do that on RedPhone, while not, say, on ChatSecure, Telegram, or Wickr? Why do we have to use OTHER means to verify the identity?

Also, is it ok to verify the identity in an UNSECURE media for the second case? Like using WhatsApp to verify Wickr identity?!

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Mars
  • 1,853
  • 3
  • 15
  • 22
  • Please do not use tags neither contained nor even relevant to your question. This is just drawing the attention of people not wanting to pay attention to your question. – Jens Erat Feb 09 '15 at 22:06
  • Sorry, I thought they ARE relevant. – Mars Feb 09 '15 at 22:13

1 Answers1

3

Reading off the text verifies that you have a secure connection to the person that read off the text. How do you know that's the person you intended to communicate with? ZRTP essentially assumes that you know by recognising their voice.

https://silentcircle.com/faq-zrtp#20

https://silentcircle.com/faq-zrtp#26

OTR obviously can't make that assumption, so you have to establish their identity some other way. If you use the fingerprint method, you don't need a private channel, just a verifiable one. For example, if you know the person's voice, you could make a phone call and exchange fingerprints.

For the other methods, you need to establish a shared secret using an already secure channel.

(Disclaimer: I've never used RedPhone, Telegram, or Wickr, but I'm assuming they are similar to other ZRTP and OTR apps).

John Morahan
  • 1,971
  • 2
  • 10
  • 9