From twanfox at gmail.com Mon Jun 19 00:41:58 2006 From: twanfox at gmail.com (Twan Fox) Date: Sun, 18 Jun 2006 23:41:58 -0500 Subject: [OTR-dev] Re: Verification of OTR plugin for Trillian Pro In-Reply-To: <4495B304.40601@rotz.org> References: <4495B304.40601@rotz.org> Message-ID: <44962B16.9020305@gmail.com> Greetings, Talking a little with Ian and knowing how quite a few are security conscience in this particular venue, I had imagined (and in a way, anticipated) that this kind of a discussion would come up at some point. In particular, this is kind of a strange ground for me to be in because I find myself wanting to be able and assured that the work I've been doing isn't pilfered if someone feels that I'm not doing what they want me to do. I also understand that with the source unavailable as it is there isn't much of a way for anyone to do a check on it. While I'm sure that this explanation can only be taken at face value, let me elaborate a bit on how I built the OTR plugin for Trillian. Sad to say, this is my first application 'from scratch' that makes use of Windows GUI elements as well as interacting with another application as a plugin. Because of the difficulties I was going to have with those aspects alone, not to mention deciphering how to use the OTR library, I turned to the Gaim OTR plugin as a reference guide. Unfortunately for me the Trillian API doesn't allow me to do things quite the same as the Gaim OTR handled them. Despite that, much of the calls and hooks that Gaim OTR made to the OTR library are done so in near identical a way between the two plugins, including aspects that I don't fully comprehend. The goal of the Trillian OTR plugin is primarily to intercept messages received by the client and before the medium plugin the message is destined for fully processes it and decrypt them (as needed) and intercept messages being sent out by the local user and encrypt them (as needed) before sending them. At only one time does the Trillian OTR plugin attempt to send a message itself (through Trillian and not the medium plugin) and that is when the user has configured it to send an opportunistic encryption whitespace tag trailing a message. All other messages are converted inline (by overwriting an encrypted message string with the decrypted message before display, by editing the text in the text entry field with the encrypted text before Trillian passes it to the medium plugin for processing). What it does not yet do (something I'm not sure if the 'risk' is worth investigating in code) is to change any settings within Trillian concerning when it logs messages. This means that, if the user wants it to, Trillian will log messages that have passed through an OTR session. Trillian just doesn't know any different. In the interest of peer review, I have considered the possibility of having a member of the OTR development team review the plugin's code, as kludgey as it is, in order to give an 'okie dokie' that it doesn't do something nefarious. Beyond that, and my conflicted little conundrum, I'm not sure quite what would satisfy all involved parties. Thanks, Twanfox Aldert J.B.P. Hazenberg wrote: > Hi Guys and Girls, > > I noticed that Trillian Pro now has an OTR plugin as well ! > (this time Twan of is the cool guy :) found emails from him in otr-dev) > > http://www.ceruleanstudios.com/downloads/detail.php?item=378 > > Again question I have about this : > > 1. As it seems to me that this plugin is written by somebody not in > the "core" OTR team, should the code not be checked for "issues" ? > > I cannot find the source code of the plugin, something that makes > it even harder to check I guess :) > > 2. Even if the code is ok, how can i be sure that the ddl supplied is > built from that code ? (as the dll is not supplied by the OTR team) > > Aldert. > > > > From aldert at rotz.org Mon Jun 19 02:14:05 2006 From: aldert at rotz.org (Aldert J.B.P. Hazenberg) Date: Mon, 19 Jun 2006 08:14:05 +0200 Subject: [OTR-dev] [Fwd: Re: [OTR-users] Verification of OTR plugin for Miranda IM] Message-ID: <449640AD.1030009@rotz.org> Email from Scott that ended up in my mailbox. :) Aldert. -------- Original Message -------- Subject: Re: [OTR-users] Verification of OTR plugin for Miranda IM Date: Mon, 19 Jun 2006 15:40:49 +1000 From: Scott Ellis To: Aldert J.B.P. Hazenberg References: <44957773.4020209 at rotz.org> Hi all, The OTR plugin for Miranda has a very similar life story to the Trillian plugin according to the recent post by Twan. I too relied heavily on the gaim plugin source code to get an idea of how the implementation should work. Miranda is even worse in terms of logging - in that it logs everything (unencrypted) and logging cannot easily be disabled (it is possible to log to memory only using some third party database plugins). And as I've mentioned before, Miranda has no concept of 'accounts' per se, so it pretends to the OTR library that there is only one account. The source code is available though, and I'm open to any suggetions or patches. The trustworthiness of all Miranda plugins can be questioned, and this is an issue that has been and still is discussed on the Miranda forums. Moderation of the Miranda file listing is relatively new thing, and certain automated process are in place such as virus scanning of the binaries. I don't think there ever will be resources enough for a code review of new plugins and updates. I think there are plans to ensure all plugins on the file listing are submitted with source code - I'm unsure whether they will in future be rebuilt from the source before being made available for download. For the Miranda OTR plugin, and for all Miranda plugins in fact, the only sure method is to build it from sources you've read and understood, or find a trustworthy friend capable of doing it for you. The OTR plugin source does include a project file for the free MinGW Studio development environment, so it's not impossible to build it yourself even with little knowledge of programming. I have no objection to the OTR team providing public access to their own build of the dll and/or to the sources, if that turns out to be a more acceptable way around the trust issue. Scott On 19/06/06, Aldert J.B.P. Hazenberg wrote: > > Hi Guys and Girls, > > I noticed that Miranda IM has an OTR plugin (cool!!!!!, thanks Scott!) > http://addons.miranda-im.org/details.php?action=viewfile&id=2644 > > Question I have about this : > > 1. As it seems to me that this plugin is written by somebody not in > the "core" OTR team, should the code not be checked for "issues" ? > > Code can be found here : > http://addons.miranda-im.org/feed.php?dlsource=2644 > > 2. Even if the code is ok, how can i be sure that the ddl supplied is > built from that code ? (as the dll is not supplied by the OTR team) > > Aldert. > > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > -- Scott From scott.ellis at optusnet.com.au Mon Jun 19 06:34:15 2006 From: scott.ellis at optusnet.com.au (Scott Ellis) Date: Mon, 19 Jun 2006 20:34:15 +1000 Subject: [OTR-dev] Re: [Fwd: Re: [OTR-users] Verification of OTR plugin for Miranda IM] In-Reply-To: <449640AD.1030009@rotz.org> References: <449640AD.1030009@rotz.org> Message-ID: <96e269140606190334q1bfd1e26v7e51fd687d2834e0@mail.gmail.com> oops, thanks aldert From paul at cypherpunks.ca Wed Jun 28 21:10:28 2006 From: paul at cypherpunks.ca (Paul Wouters) Date: Thu, 29 Jun 2006 03:10:28 +0200 (CEST) Subject: [OTR-dev] Re: [Fwd: Re: [OTR-users] Verification of OTR plugin for Miranda IM] In-Reply-To: <96e269140606190334q1bfd1e26v7e51fd687d2834e0@mail.gmail.com> References: <449640AD.1030009@rotz.org> <96e269140606190334q1bfd1e26v7e51fd687d2834e0@mail.gmail.com> Message-ID: On Mon, 19 Jun 2006, Scott Ellis wrote: The link http://www.cypherpunks.ca/otr/gaim-otr-cvs-latest.tar.gz is broken and points to an obsolete gaim-otr 2.0.0 version. Paul From paul at xelerance.com Wed Jun 28 21:17:38 2006 From: paul at xelerance.com (Paul Wouters) Date: Thu, 29 Jun 2006 03:17:38 +0200 (CEST) Subject: [OTR-dev] gaim-otr CVS missing? Message-ID: [ oops, i accidentally recycled Greg's subject line ] The link http://www.cypherpunks.ca/otr/gaim-otr-cvs-latest.tar.gz is broken and points to an obsolete gaim-otr 2.0.0 version. http://sourceforge.net/projects/otr is giving me an internal server error www.cypherpunks.ca/otr/ has no link to another CVS repository As of tonight, rawhide has gaim-2.0.0, so all gaim modules need to be upgraded to the new gaim API, which includes gaim-otr. That's why I was searching for the OTR CVS repository. There is some urgency in this because Fedora Core 6 test2 will be released very soon, and I would like to make sure FC6 has a working gaim-otr. If all else fails, I could grab the debian repository, but I'd rather use an official OTR one. Paul From evan.s at dreskin.net Wed Jun 28 22:54:26 2006 From: evan.s at dreskin.net (Evan Schoenberg) Date: Wed, 28 Jun 2006 22:54:26 -0400 Subject: [OTR-dev] gaim-otr CVS missing? In-Reply-To: References: Message-ID: <20060628225426.45w6k1dxmo04kg8g@penguinmilitia.net> Quoting Paul Wouters : > http://sourceforge.net/projects/otr is giving me an internal server error Looks like sf.net was having problems earlier. It's working now for me -- ymmv. -Evan From ian at cypherpunks.ca Thu Jun 29 05:11:51 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 29 Jun 2006 05:11:51 -0400 Subject: [OTR-dev] Re: [Fwd: Re: [OTR-users] Verification of OTR plugin for Miranda IM] In-Reply-To: References: <449640AD.1030009@rotz.org> <96e269140606190334q1bfd1e26v7e51fd687d2834e0@mail.gmail.com> Message-ID: <20060629091151.GP15280@smtp.paip.net> On Thu, Jun 29, 2006 at 03:10:28AM +0200, Paul Wouters wrote: > On Mon, 19 Jun 2006, Scott Ellis wrote: > > The link http://www.cypherpunks.ca/otr/gaim-otr-cvs-latest.tar.gz is > broken and points to an obsolete gaim-otr 2.0.0 version. Oops. That link was from before when you could get the latest CVS from Sourceforce. I'll just remove it in a bit. - Ian