[jitsi-users] ZRTP status indication in the UI


#1

Hi!

I'm trying to figure out what *exactly* the green/yellow lock symbols
indicating the ZRTP status for a connection mean. My situation is this:

I've installed Jitsi both for me and a friend of mine (who is not so
technically interested), and during some test sessions I verified and
confirmed the SAS at both clients. As I understand it, this should
mean that in the future a retained secret is used to verify the
connection automatically as far as possible.

I remember seeing a green lock, but that was only at rare moments; now
when I connect, I always have a yellow one. Clicking on it, I see the
SAS, an indication that it is ok and a "Clear" button. That does mean
that the connection is verified using the retained secret, right?

So ... is this connection really secure (assuming no attacker stole
any retained secret cache)? What does the yellow lock mean, and what
would I have to do in order to get it green? Can I somehow do some
more verification (ideally during a test call where I can do it myself
on both devices)? I could not find any information on the meaning of
the locks in the FAQs (also not the ZRTP ones).

I understand that there will always be some risk as long as we don't
actually compare the SAS manually for each call, but I don't want to
bother my friend with that; absolute security is not critically
important, but I still want to get it as good as possible.

Thanks for any hints! Yours,
Daniel

- --
http://www.domob.eu/
OpenPGP: 901C 5216 0537 1D2A F071 5A0E 4D94 6EED 04F7 CF52
- --
Done: Arc-Bar-Cav-Hea-Kni-Ran-Rog-Sam-Tou-Val-Wiz
To go: Mon-Pri


#2

Hey Daniel,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I'm trying to figure out what *exactly* the green/yellow lock symbols
indicating the ZRTP status for a connection mean. My situation is this:

I've installed Jitsi both for me and a friend of mine (who is not so
technically interested), and during some test sessions I verified and
confirmed the SAS at both clients. As I understand it, this should
mean that in the future a retained secret is used to verify the
connection automatically as far as possible.

Correct, but only if both of you have confirmed.

I remember seeing a green lock, but that was only at rare moments; now
when I connect, I always have a yellow one. Clicking on it, I see the
SAS, an indication that it is ok and a "Clear" button. That does mean
that the connection is verified using the retained secret, right?

This mostly means that one of the two indications is wrong :(. It must
be an UI glitch. If the string is indeed compared, you should be seeing
a green padlock.

So ... is this connection really secure (assuming no attacker stole
any retained secret cache)? What does the yellow lock mean,

It means that Jitsi has successfully negotiated an encrypted channel but
it doesn't know yet if it's sending packets to the right place.

I can't reproduce the behaviour that you are describing (mismatching
colour and text). Can anyone else do this?

Ingo, I have some recollection that you had mentioned this too. Do we
have a ticket for this?

Cheers,
Emil

···

On 23.05.13, 22:55, Daniel Kraft wrote:

and what
would I have to do in order to get it green? Can I somehow do some
more verification (ideally during a test call where I can do it myself
on both devices)? I could not find any information on the meaning of
the locks in the FAQs (also not the ZRTP ones).

I understand that there will always be some risk as long as we don't
actually compare the SAS manually for each call, but I don't want to
bother my friend with that; absolute security is not critically
important, but I still want to get it as good as possible.

Thanks for any hints! Yours,
Daniel

- --
http://www.domob.eu/
OpenPGP: 901C 5216 0537 1D2A F071 5A0E 4D94 6EED 04F7 CF52
- --
Done: Arc-Bar-Cav-Hea-Kni-Ran-Rog-Sam-Tou-Val-Wiz
To go: Mon-Pri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJRnnQvAAoJEE2Ubu0E989S20kP/jf0EeDspv736NLyv/+iDd+j
XNi1SOclVWgfprQmnGD1mak+RFfMgOGfCOn0BxaULNPQVKBKX49C0GLZAhhmfyeM
VGamCXCBNnAGZCRewNkxBWT416QhtcH3JCR/nR6Wy2Vu8Bc7cbR6ENPU8uKAJ/I/
T9NEU1QC2Oc+uN6mBiNldgJ+xI8wVrvuQJTzeQBM6bvfLXsuq5MtAQC3rnjeQae0
sa6txvi39AzNamUzfPS9B2GUin4bV+l0/kHEV04GSdMCjSxmpPaH4LCXTLGSPYJn
JmeBfdMMzunySxJzo30b/d0MLRnOj+t2NSzQ1vStmm9Lm43iV4uVmRChQSLaMjTD
3MmAOHyY6pjhFhHtW8xJFQe/WB0LcdRTh9v8IrPcsFQboDslvoUoIO3BmVYzfO73
bYh0rwhhryJYJD6D0w41pLbIrSIEgLmuD901aaZN4xa3NsBbW2CNpRlWaAmAYRLl
bVdkc47/ThJu78sx2kOiKh5QwxG6KsEb9hpIb+Fi786bmpDbBexwuNTJpqg5n0vp
H3dM+nk92RPbcONL+XPKXHUIgapnjUU0sndzQjBoswXlauIrTPh1Wt4Lab2vWOPk
VtW5mt1IrO3+r0ugYxV3JXJgllr3VbE1soDm5mqnbDXahHpCU+HKfiewhddtwEQR
7sOGXqXf7EYT04nQmBTO
=UHuP
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org


#3

Ingo, I have some recollection that you had mentioned this too. Do we
have a ticket for this?

AFAIK no, because we weren't able to reproduce it. :frowning:

Cheers,
Emil

Ingo


#4

Hi!

Thanks for the reply! :slight_smile:

On 23.05.13, 22:55, Daniel Kraft wrote: I'm trying to figure out
what *exactly* the green/yellow lock symbols indicating the ZRTP
status for a connection mean. My situation is this:

I've installed Jitsi both for me and a friend of mine (who is not
so technically interested), and during some test sessions I
verified and confirmed the SAS at both clients. As I understand
it, this should mean that in the future a retained secret is used
to verify the connection automatically as far as possible.

Correct, but only if both of you have confirmed.

Yes, I have confirmed the SAS initially at both ends.

I remember seeing a green lock, but that was only at rare moments;
now when I connect, I always have a yellow one. Clicking on it, I
see the SAS, an indication that it is ok and a "Clear" button. That
does mean that the connection is verified using the retained
secret, right?

This mostly means that one of the two indications is wrong :(.
It must be an UI glitch. If the string is indeed compared, you
should be seeing a green padlock.

Ok. That's what I supposed. BTW, there's also an "i" in the UI, and
when I click it, I'm prompted to enter a name for this connection.
How exactly does that feature work? I experimented a bit with it,
and sometimes I get it to show the name next to the padlock -- but
that only works for the current connection. When a new one is
established, the name shows no longer but is still in the prompt when
I again click on the "i". Well, doesn't matter much ... just curious
what exactly that does. :slight_smile:

So ... is this connection really secure (assuming no attacker stole
any retained secret cache)? What does the yellow lock mean,

It means that Jitsi has successfully negotiated an encrypted
channel but it doesn't know yet if it's sending packets to the
right place.

I can't reproduce the behaviour that you are describing
(mismatching colour and text). Can anyone else do this?

Ingo, I have some recollection that you had mentioned this too.
Do we have a ticket for this?

Thanks for your efforts! So I'll probably assume for now that
everything is fine. Can I help somehow in finding the problem? For
me this happens every time with this particular connection I regularly
use.

Yours,
Daniel

- --
http://www.domob.eu/
OpenPGP: 901C 5216 0537 1D2A F071 5A0E 4D94 6EED 04F7 CF52
- --
Done: Arc-Bar-Cav-Hea-Kni-Ran-Rog-Sam-Tou-Val-Wiz
To go: Mon-Pri

···

On 26/05/13 21:26, Emil Ivov wrote: