Hubzilla development: The Zot communication and authentication protocol

hzkick | tobias
 between a webserver and a browser 
Mike MacgirvinMike Macgirvin wrote the following post Thu, 08 Feb 2018 05:00:52 +0100
Finally got a chance to spend a bit more time on zot6, which has been languishing for a couple of months while I've been tied up with federation nits and registration workflows and people who can't figure out how to send email. Anyway, today I got two zot6 sites to communicate with each other and the delivery performance is pretty awesome.

In a nutshell, we're using OpenWebAuth on send to avoid a verification callback. We don't really have to verify the receiver since private messages are technically encrypted twice. Ergo, it shouldn't really matter if they get MITM'd - they still can't read the message or see anything in the metadata. I still have one additional step to encrypt the HTTPSignature - as it can leak metadata about the sender. (The folks writing specs never think of these things.) Once that's done I'll start hammering on it to try and break it, but otherwise start migrating it into the mainline code.

It basically doubles delivery performance on both ends of the connection. It will fall back to doing it the slow way, and will work all the way back to ancient redmatrix installs; but if you're using anything less than Hubzilla 3.0.1 you're being put on notice. Please upgrade.