[OTR-dev] buglet in otrproxy?

Paul Wouters paul at cypherpunks.ca
Thu Feb 3 09:25:08 EST 2005


On Thu, 3 Feb 2005, Ian Goldberg wrote:

> - One of you triggers Key Exchange.
> - Neither of you has seen the other's fingerprint before.
> - Aaron accepts yours, and types something, but you haven't accepted his
>   yet.
> - Your end gets an encrypted message, but discards it with the above
>   error, since it hasn't been told to accept the fingerprint.
> - You accept the fingerprint, and continue the conversation.
> 
> I'm not sure we should be queueing incoming packets while waiting for
> you to accept a fingerprint, though.

Hmm. Would it make sense to send some kind of authenticated "remote party
accepted fingerprint'? Or is this impossible on the same channel risking a
MITM?
But yeah, I guess you shouldn't cache packets in this case, to prevent
sending them to a MITM. But perhaps the proxy shouldn't allow sending packets
before the other end does? (catch22?

Paul

> 




More information about the OTR-dev mailing list