|
|
|
|
|
|
by danielweber
4314 days ago
|
|
|
FYI, based on previous discussion, by "trivial to adopt" he means "you can use it in your current browser and in a new browser if you remember your password." Which is reasonable, but I totally see why you think your own solution fits your own definition of "trivial to adopt." Domains are a bit different. I see you plan to publish the source -- do you have a way that someone can verify what is running on their device, such as using common components so they can load the code themselves, or maybe a version that runs as installed software on a desktop computer? (This wouldn't be as convenient, but it could provide safety to the ecosystem if it could detect hostile clients.) EDIT I wonder how much computational power it would take for an attacker to do a man-in-the-middle attack that recognizes each side saying "the code is 123" and change the voice to say "the code is 456." |
|
|
It's a good idea to find ways for users to verify what's running on the device. Right now, the USB port on JackPair is only for user to re-charge battery. We can open it up for user to load the code themselves, but this will also make it vulnerable for USB hacks. Any suggestions here?
The encryption software of JackPair can be run on PC, except for the assembly optimization for our ARM cortex M3 based DSP core. It's ok to verify software this way; it'll be open sourced anyway. But I'm not convinced that average users can make sure their PC or smart phone secure enough to run JackPair as pure software solution.
For MitM human voice mimicking, in additional to computing power, it'll take a large database with perfect voice samples, and manual adjustment & training so far:
http://dsp.stackexchange.com/questions/7833/how-to-mimic-cop...
BTW, the Pairing Code in JackPair is 10 digits long, the 3-digit code you see in the GIF animation is for illustration purpose.