From paul at cypherpunks.ca Wed Jul 13 21:52:18 2005 From: paul at cypherpunks.ca (Paul Wouters) Date: Wed, 13 Jul 2005 21:52:18 -0400 Subject: [OTR-announce] libotr and gaim-otr included in Fedora Extra's for FC3 and FC4 Message-ID: <20050714015218.GC2289@smtp.paip.net> libotr and gaim-otr have been included in Fedora Extras, the large companion of RPMs for Fedora Core Linux. See: http://fedoraproject.org/wiki/Extras Installing gaim-otr and libotr on these distributions is now very simple. On Fedora Core 4, the fedora-extras repository is included in the default YUM configuration. Just run: yum install gaim-otr On Fedora Core 3, you can enable fedora-extras by adding the following configuration to your /etc/yum.conf or as a seperate file, for example /etc/yum.repos.d/fedora-extra.repo: [extras] name=Fedora Extras $releasever - $basearch baseurl=http://download.fedora.redhat.com/pub/fedora/linux/extras/$releasever/$basearch/ mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-extras-$releasever enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras gpgcheck=1 You will also need to add the fedora extras key to your rpm database by running the command: rpm --import http://download.fedora.redhat.com/pub/fedora/linux/extras/RPM-GPG-KEY-Fedora-Extras Then you can also install gaim-otr using yum like on Fedora Core 4: yum install gaim-otr If people package libotr or gaim-otr for other rpm based distributions, please mail us your revised specfile so we can include this in the packages/ directory. Paul From otr at cypherpunks.ca Sun Jul 24 10:55:04 2005 From: otr at cypherpunks.ca (The OTR Dev Team) Date: Sun, 24 Jul 2005 10:55:04 -0400 Subject: [OTR-announce] Flaw in OTR Protocol (with workaround!) Message-ID: Well, this is the benefit of open protocols and open source. :-) Researchers from the Universita di Cantania (Italy) and IBM have looked at the OTR protocol, and pointed out a flaw, which is this: If Alice tries to communicate with Bob, Mallory (an active attacker) can make Bob _think_ he's talking to Mallory, when he's actually talking to Alice. Alice correctly knows she's talking to Bob. Note that Mallory can't actually _read_ the messages between Alice and Bob. For example, if Bob thinks he's talking to Mallory, he may tell her something in confidence he would not want Alice to hear. Note that although Mallory could relate this confidential information to Alice herself, but in the attack scenario Alice has assurance that the message came from Bob rather than having to take Mallory's word for it. There's a simple temporary workaround: Alice should say "Hi, this is Alice." at the beginning of the conversation, alerting Bob to any possible attack. Likewise, Bob should identify himself to prevent the attack in the opposite direction. But in the longer term, we're going to fix the protocol to prevent the attack in the first place. Unfortunately, this will mean changing the wire protocol, which will cause incompatibility. The current plan is for the next version of libotr to support both the current and new protocols (with an option to disallow the current protocol); if you communicate with someone speaking the current protocol, it will let you know that you should confirm your identity with the other person. [Note that in the attack scenario, the people communicating are not "in on" the attack, so simply mentioning your own name inside the OTR conversation is sufficient.] As a side effect, if anyone's got other enhancements to OTR in the wings that would require wire protocol changes, now's the time to speak up. :-) - The OTR Dev Team [Note that Ian and Kat will shortly be off the net until Monday evening, but Nikita may be around.]