xabber-android icon indicating copy to clipboard operation
xabber-android copied to clipboard

Published 20 hours ago verified publisher icon redsolution

Safely share a picture?

Open arielenter opened this issue 7 years ago • 6 comments

I know it is possible to send pictures and files on servers using XEP-0363 (HTTP File Upload). I might be wrong, but it appears that this kind of transaction are not safe at all. Am I right?

It seems that when ever I send a picture it is uploaded to the server, and once there, any body, specially the server owner, will be able to see them just by having the right address. Is this the case?

I might be wrong, but it appears that Conversations XMPP client, do also encrypt pictures when they are sent, although I don't know which XEP is being use there. It appears that the transaction is only between peer to peer and server is not involved, which it's alright.

Are there any plans to implement something like that on xabber? Thank you.

arielenter avatar Feb 24 '18 19:02 arielenter

We did it for one of our clients, custom encryption with symmetric encryption key passed in stanza. Works pretty well if you pass it within encrypted session. It'll be easy to copy this code to Xabber, when we get to this. However, it'll probably be incompatible with Conversations, to make it compatible would require some effort from either us or them. Anyway, currently we have our hands full with some work so don't expect this to happen too soon. Maybe 3-4 months.

andrewnenakhov avatar Feb 24 '18 19:02 andrewnenakhov

Oh, I wouldn't mind having no compatibility with Conversations, so that's fine.

Thank you very much, I'll be waiting those 3 or 4 months gladly.

BTW: Do you have a https://en.liberapay.com/ account, I have some money there and I'll love to give some of it to support this project and for the troubles. Thank you C:

arielenter avatar Feb 24 '18 19:02 arielenter

HTTP File Upload supports both client-server encryption (HTTPS) and end-to-end encryption when used in conjunction with OMEMO encryption

Simply use OMEMO

ChatSecure's initial plan was

Initially we will only be supporting AES-GCM encrypted http transfers, and requiring OMEMO or OTR to exchange the URL and key.

BigGiantHeadsHighCommander avatar Jul 11 '18 05:07 BigGiantHeadsHighCommander

Simply use OMEMO

@BigGiantHeadsHighCommander OMEMO encrypts only message body, files uploaded via HTTP upload will be stored on server in plain open way. Please, don't give others advice in areas you are not too familiar with.

andrewnenakhov avatar Jul 11 '18 06:07 andrewnenakhov

@andrewnenakhov @BigGiantHeadsHighCommander

https://github.com/conversejs/converse.js/issues/1182

That thread confirms the omemo file encryption assertion

bleedingcrow avatar Jan 24 '20 06:01 bleedingcrow

@bleedingcrow which of the assertions?

andrewnenakhov avatar Jan 24 '20 09:01 andrewnenakhov