[pkg-otr-team] Bug#818313: Bug#818313: Bug#818313: off-the-record (OTR) plugin actually logs conversations

Antoine Beaupré anarcat at debian.org
Wed Mar 16 15:12:29 UTC 2016 

On 2016-03-16 11:04:14, micah wrote:
> Antoine Beaupré <anarcat at debian.org> writes:
>
>> It's called "off the record" - why the heck would you want to log
>> that?
>
> the 'off the record' property of OTR only has to do with the protocol
> itself, it doesn't promise anything beyond that. Someone can copy and
> paste text from the terminal, take a photo or have it read out loud
> through speakers that are blasting through the grand canyon. OTR's "off
> the record" only promises these properties:
>
> . Encryption - No one else can read your instant messages.
>
> . Authentication - You are assured the correspondent is who you think it
> is.
>
> . Deniability - The messages you send do not have digital signatures
> that are checkable by a third party. Anyone can forge messages after a
> conversation to make them look like they came from you. However, during
> a conversation, your correspondent is assured the messages he sees are
> authentic and unmodified.
>
> . Perfect forward secrecy - If you lose control of your private keys, no
> previous conversation is compromised.
>
> You might be thinking that logging by an external program compromises
> the 'encryption' aspect of OTR?

Yes. In fact, I think it compromises the "encryption", "PFS" and
"deniability" aspects of the protocol, to be more specific.

                            -

While you can obviously corrupt any security system, I fail to see why
we would allow this specific system to be deliberately corrupted through
a configuration flag. I just don't see the use case of logging OTR
conversation, other than being a malicious attacker or a user
misconfiguring his software.

But anyways, I don't care much. I spent over two hours last night trying
to figure out how to do it in code. If you guys want a configuration
flag to turn that off, feel free to finish up a patch and do that. :)

A.

-- 
Every one of us is, in the cosmic perspective, precious. If a human
disagrees with you, let him live. In a hundred billion galaxies, you
will not find another.  - Carl Sagan

More information about the Pkg-otr-team mailing list