Many Peer-to-Peer LAN messenger systems claim that they support
encryption, but there is little security when that encryption is done
without the use of digital certificates.
There are two major problems associated with using encryption in a P2P
system without digital certificates (note that systems with a centralized
server such as Akeni Pro Messenger does not have these problems.)
The first problem is that there is no authentification. The message
itself is encrypted, but how does alice know that the message really came
from bob and not from carol? Digital certificate solves that problem
because the certificate ensures that a message really did come from bob.
The second problem is that encryption done without certificate is open
to the so called man-in-the-middle-attack. In this form of attack an
intruder can insert him/herself between two users, intercepting their
messages, listening to their conversation and even tampering with the
message.
Using encryption without digital certificate is a bit like sending
letter in an sealed envelop without a wax seal. All one knows that the
letter has arrived in an sealed envelop, but there is no guarantee that
someone have not opened the original envelop, read the message, and then
put the letter and sealed it in a new envelop.
|