From aknownim at yahoo.com Fri Dec 1 05:29:03 2006 From: aknownim at yahoo.com (Carl Johnson) Date: Fri, 1 Dec 2006 02:29:03 -0800 (PST) Subject: [OTR-users] Private keys file security Message-ID: <122633.8082.qm@web58113.mail.re3.yahoo.com> As Richard pointed out, it would be great to have the private keys and fingerprints encrypted. The countermeasures that we could use against the motivated employer, could be to implement a virtual keyboard to type the password, and to bypass screenloggers, the virtual keyboard would press the key when the mouse hovers a key for over 2 seconds, for example. Still, if this is too much trouble since both otrlib and otrproxy are somewhat not being updated, someone could at least point me to who is the win32 maintainer? If we could just choose from otrproxy the directory to read the private keys and fingerprints, that would help a lot. It would be just a matter of using another program for on-the-fly encryption, and having the keys stored on a secure location, say a usb flash fisk for instance. But since we cannot choose (at least on WinXP as far as I know) the userdir for the privkey and fingerprints files, using otr on public computers nears the impossible. Interestingly enough, on Win98 the privkeys are written on the same directory that otrproxy is, and that alone would already solve this problem. But, Win98 isn't used on public computers anymore. If we could just choose the directory (and drive) for the files, it would really help. Thanks. ____________________________________________________________________________________ Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited From cautionespn at gmail.com Fri Dec 1 12:07:37 2006 From: cautionespn at gmail.com (Chris Morley) Date: Fri, 1 Dec 2006 12:07:37 -0500 Subject: [OTR-users] Enhancement Request Message-ID: <873586480612010907g38dd745cu96792ef575bfe507@mail.gmail.com> Newbie here. Great plug-in for GAIM. I just read through the October and November archives of the mailing list to catch up and to see if the request I have had been made recently. I apologize if it had been made in prior months. Any chance of a toned down graphic within GAIM? Perhaps a simple padlock. Red/Open for non-private, Red/Closed for private/unverified, Green/Closed for Private/Verified. This could be made about the same size as the current text formatting icons in GAIM (could it actually be added to this bar?). Right now it is rather obtrusive within the GAIM GUI. Thanks again for all of your hard work in creating this and for making it available. yours, Chris M -- ====== People who don't like their beliefs being laughed at shouldn't have such funny beliefs. --Unknown From ian at cypherpunks.ca Fri Dec 1 15:58:28 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 1 Dec 2006 15:58:28 -0500 Subject: [OTR-users] Enhancement Request In-Reply-To: <873586480612010907g38dd745cu96792ef575bfe507@mail.gmail.com> References: <873586480612010907g38dd745cu96792ef575bfe507@mail.gmail.com> Message-ID: <20061201205828.GA4164@yoink.cs.uwaterloo.ca> On Fri, Dec 01, 2006 at 12:07:37PM -0500, Chris Morley wrote: > Newbie here. Great plug-in for GAIM. I just read through the October > and November archives of the mailing list to catch up and to see if > the request I have had been made recently. I apologize if it had been > made in prior months. > > Any chance of a toned down graphic within GAIM? Perhaps a simple > padlock. Red/Open for non-private, Red/Closed for private/unverified, > Green/Closed for Private/Verified. This could be made about the same > size as the current text formatting icons in GAIM (could it actually > be added to this bar?). Right now it is rather obtrusive within the > GAIM GUI. > > Thanks again for all of your hard work in creating this and for making > it available. Read further back in the archives to see why we don't like the whole padlock concept. The button blended in nicely with gaim 1.5, but indeed it stands out in gaim 2's new UI. It's apparently possible to move some of the functionality to the menubar, and we'll be looking into that. - Ian From offtherecord at embracetherandom.com Sat Dec 2 17:48:11 2006 From: offtherecord at embracetherandom.com (Richard M. Conlan) Date: Sat, 02 Dec 2006 14:48:11 -0800 Subject: [OTR-users] Enhancement Request In-Reply-To: <20061201205828.GA4164@yoink.cs.uwaterloo.ca> References: <873586480612010907g38dd745cu96792ef575bfe507@mail.gmail.com> <20061201205828.GA4164@yoink.cs.uwaterloo.ca> Message-ID: <457202AB.5060702@embracetherandom.com> I haven't seen the UI in gaim 2.0, but it is pretty good in 1.5. Try not to bury too much in the menus...good HCISEC work is hard to come by. ~RMC Ian Goldberg wrote: > On Fri, Dec 01, 2006 at 12:07:37PM -0500, Chris Morley wrote: >> Newbie here. Great plug-in for GAIM. I just read through the October >> and November archives of the mailing list to catch up and to see if >> the request I have had been made recently. I apologize if it had been >> made in prior months. >> >> Any chance of a toned down graphic within GAIM? Perhaps a simple >> padlock. Red/Open for non-private, Red/Closed for private/unverified, >> Green/Closed for Private/Verified. This could be made about the same >> size as the current text formatting icons in GAIM (could it actually >> be added to this bar?). Right now it is rather obtrusive within the >> GAIM GUI. >> >> Thanks again for all of your hard work in creating this and for making >> it available. > > Read further back in the archives to see why we don't like the whole > padlock concept. The button blended in nicely with gaim 1.5, but indeed > it stands out in gaim 2's new UI. It's apparently possible to move some > of the functionality to the menubar, and we'll be looking into that. > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users From paul at cypherpunks.ca Sat Dec 2 22:13:12 2006 From: paul at cypherpunks.ca (Paul Wouters) Date: Sun, 3 Dec 2006 04:13:12 +0100 (CET) Subject: [OTR-users] Private keys file security In-Reply-To: <122633.8082.qm@web58113.mail.re3.yahoo.com> References: <122633.8082.qm@web58113.mail.re3.yahoo.com> Message-ID: On Fri, 1 Dec 2006, Carl Johnson wrote: > As Richard pointed out, it would be great to have the > private keys and fingerprints encrypted. > > The countermeasures that we could use against the > motivated employer, could be to implement a virtual > keyboard to type the password, and to bypass > screenloggers, the virtual keyboard would press the > key when the mouse hovers a key for over 2 seconds, > for example. Just use "portable gaim" with gaim-otr, eg it runs completely from USB drive. When you leave your computer, you take your USB drive with you. Passphrase protection of the keys against the administrator of your machine is impossible. Why try? > Still, if this is too much trouble since both otrlib > and otrproxy are somewhat not being updated, someone > could at least point me to who is the win32 > maintainer? I maintain the windows installers, Ian cross compiles for windows. > But since we cannot choose (at least on WinXP as far > as I know) the userdir for the privkey and > fingerprints files, using otr on public computers > nears the impossible. Interestingly enough, on Win98 > the privkeys are written on the same directory that > otrproxy is, and that alone would already solve this > problem. But, Win98 isn't used on public computers > anymore. If you use "portable gaim" everything should be written in the gaim directories on the usb drive. Paul From paul at cypherpunks.ca Sat Dec 2 22:15:45 2006 From: paul at cypherpunks.ca (Paul Wouters) Date: Sun, 3 Dec 2006 04:15:45 +0100 (CET) Subject: [OTR-users] Enhancement Request In-Reply-To: <873586480612010907g38dd745cu96792ef575bfe507@mail.gmail.com> References: <873586480612010907g38dd745cu96792ef575bfe507@mail.gmail.com> Message-ID: On Fri, 1 Dec 2006, Chris Morley wrote: > Any chance of a toned down graphic within GAIM? Perhaps a simple > padlock. Red/Open for non-private, Red/Closed for private/unverified, > Green/Closed for Private/Verified. This could be made about the same > size as the current text formatting icons in GAIM (could it actually > be added to this bar?). Right now it is rather obtrusive within the > GAIM GUI. The padlocks are out. See previous discussions in the archive. With the vanishing of most buttons from the laster gaim GUI's, the OTR button is quite dominantly there. But I don't see it as a problem. It is more a motivation (and clear indication) of the status of the connection. I like it that with one glance, I can see I am in a private or unverified or insecure connection. Paul From perrin at apotheon.com Fri Dec 8 10:13:51 2006 From: perrin at apotheon.com (Chad Perrin) Date: Fri, 8 Dec 2006 08:13:51 -0700 Subject: [OTR-users] regenerating keys on reboot Message-ID: <20061208151351.GA13740@apotheon.com> A friend of mine who uses the Gaim OTR plugin on a Windows machine seems to have a problem with OTR generating new keys every time he reboots the computer. He's running OTR with Gaim 2.0 beta 5 on Windows XP Professional, Service Pack 2. When he opened a conversation with me after rebooting (I'm the only person on his contact list using OTR at this time), it popped up a "generating keys" dialog. Any ideas why this is happening, and/or how to fix it? It makes it difficult to verify keys when the keys change every time he reboots. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Brian K. Reid: "In computer science, we stand on each other's feet." From marti at juffo.org Fri Dec 8 10:35:43 2006 From: marti at juffo.org (Marti) Date: Fri, 8 Dec 2006 17:35:43 +0200 Subject: [OTR-users] regenerating keys on reboot In-Reply-To: <20061208151351.GA13740@apotheon.com> References: <20061208151351.GA13740@apotheon.com> Message-ID: <2a12af650612080735s4c4b234fneee9b22c645b5399@mail.gmail.com> On 12/8/06, Chad Perrin wrote: > Any ideas why this is happening, and/or how to fix it? It makes it > difficult to verify keys when the keys change every time he reboots. Does this also happen when closing Gaim and re-starting it? Does he also lose verified fingerprints? I would guess that Gaim is unable to write the key files onto the disk, for whatever reason. I don't know where Gaim keeps its profile files under Windows, but he could check whether his $GAIM/otr.fingerprints and $GAIM/otr.private_key files exist and are writable. Marti From readytogo2 at freenet.de Thu Dec 28 00:49:10 2006 From: readytogo2 at freenet.de (readytogo2) Date: Thu, 28 Dec 2006 06:49:10 +0100 Subject: [OTR-users] some questions Message-ID: <45935AD6.6050208@freenet.de> Hello, 1. Do you support the miranda otr plugin? http://addons.miranda-im.org/details.php?action=viewfile&id=2644 Is it from same developers? What is your opinion about it? Which features are supportet? (Encryption, Authentication, Deniability, Perfect forward secrecy)? 2. Will you add deniability or perfect forward secrecy to the gaim plugin in the future? 3. I am using miranda/gaim plugin, can I save or export my fingerprint? If I want to user another client, another accountname or the proxy can I use my old "identy" anyway so my contact doesn`t need to trust a new fingerprint? 4. A contact of mine is using trillian. I could convince him at least to you the otr plugin (not the otr proxy! not secure im!) (I think this there http://trillianotr.kittyfox.net/.) and I am using the miranda plugin. From miranda to miranda otr chat`s work great but to trillian I see html tags all the time. Can this be fixed? best regards From ian at cypherpunks.ca Thu Dec 28 12:04:10 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 28 Dec 2006 12:04:10 -0500 Subject: [OTR-users] some questions In-Reply-To: <45935AD6.6050208@freenet.de> References: <45935AD6.6050208@freenet.de> Message-ID: <20061228170410.GD5765@yoink.cs.uwaterloo.ca> On Thu, Dec 28, 2006 at 06:49:10AM +0100, readytogo2 wrote: > Hello, > > 1. > Do you support the miranda otr plugin? > http://addons.miranda-im.org/details.php?action=viewfile&id=2644 > Is it from same developers? What is your opinion about it? > Which features are supportet? (Encryption, Authentication, Deniability, > Perfect forward secrecy)? The Miranda plugin isn't by the same developers as the library, gaim plugin, and the proxy. I personally have no opinion about that code, since I don't even have a way to try it out. > 2. > Will you add deniability or perfect forward secrecy to the gaim plugin > in the future? ?? The gaim plugin has had those features since day 1. Or am I misunderstanding your question? > 3. > I am using miranda/gaim plugin, can I save or export my fingerprint? If > I want to user another client, another accountname or the proxy can I > use my old "identy" anyway so my contact doesn`t need to trust a new > fingerprint? There's no explicit way to do it at the moment (with the main plugin, anyway), but copying the otr.private_key file around should work. > 4. > A contact of mine is using trillian. I could convince him at least to > you the otr plugin (not the otr proxy! not secure im!) (I think this > there http://trillianotr.kittyfox.net/.) and I am using the miranda > plugin. From miranda to miranda otr chat`s work great but to trillian I > see html tags all the time. Can this be fixed? I've heard of this problem before, even *without* otr. It seems Trillian uses its own custom markup language instead of html (which all other clients use). I'm guessing there's a way to fix this, since it certainly can't be the case that all Trillian users see html tags all the time, but you'd have to ask someone who uses Trillian. - Ian From readytogo2 at freenet.de Fri Dec 29 09:28:20 2006 From: readytogo2 at freenet.de (readytogo2) Date: Fri, 29 Dec 2006 15:28:20 +0100 Subject: [OTR-users] some questions Message-ID: <45952604.2090303@freenet.de> (I am sorry Ian Goldberg, you get this e-mail twice because I did make a mistake and answerd to your e-mailadress instant of the mailinglist.) Ian Goldberg wrote: >> >> 1. >> >> Do you support the miranda otr plugin? >> >> http://addons.miranda-im.org/details.php?action=viewfile&id=2644 >> >> Is it from same developers? What is your opinion about it? >> >> Which features are supportet? (Encryption, Authentication, Deniability, >> >> Perfect forward secrecy)? > > > > The Miranda plugin isn't by the same developers as the library, gaim > > plugin, and the proxy. I personally have no opinion about that code, > > since I don't even have a way to try it out. Well, if you don`t want to try it out it`s ok. But I am sure you *can* try it. I am everything else but a *nix expert, but I could run miranda under wine (ubuntu). >> >> 2. >> >> Will you add deniability or perfect forward secrecy to the gaim plugin >> >> in the future? > > > > ?? The gaim plugin has had those features since day 1. Or am I > > misunderstanding your question? >From otr page faq: " How is this different from the gaim-encryption plugin? The gaim-encryption plugin provides encryption and authentication, but not deniability or perfect forward secrecy. If an attacker or a virus gets access to your machine, all of your past gaim-encryption conversations are retroactively compromised. Further, since all of the messages are digitally signed, there is difficult-to-deny proof that you said what you did: not what we want for a supposedly private conversation!" That`s why I asked if you are going to add this feature in the future. >> >> 3. >> >> I am using miranda/gaim plugin, can I save or export my fingerprint? If >> >> I want to user another client, another accountname or the proxy can I >> >> use my old "identy" anyway so my contact doesn`t need to trust a new >> >> fingerprint? > > > > There's no explicit way to do it at the moment (with the main plugin, > > anyway), but copying the otr.private_key file around should work. I think to use the proxy would be the best way for everyone right now? Is the proxy portable? I also don`t know what is compatible to each other. :( >> >> 4. >> >> A contact of mine is using trillian. I could convince him at least to >> >> you the otr plugin (not the otr proxy! not secure im!) (I think this >> >> there http://trillianotr.kittyfox.net/.) and I am using the miranda >> >> plugin. From miranda to miranda otr chat`s work great but to trillian I >> >> see html tags all the time. Can this be fixed? > > > > I've heard of this problem before, even *without* otr. It seems > > Trillian uses its own custom markup language instead of html (which all > > other clients use). I'm guessing there's a way to fix this, since it > > certainly can't be the case that all Trillian users see html tags all > > the time, but you'd have to ask someone who uses Trillian. Not the Trillian user see html tags, the miranda user does (me). Well, nvm I don`t get why someone need to use Tril if there are enugh free und better alternatives. I tested to chat with my self from Gaim (OTR Plugin) to Miranda (OTR Plugin), there is almost the same errror. [SIZE=10]..Message..[/SIZE] Perhaps the Miranda OTR Plugin is broken. Maybe I should use the proxy instant. From ian at cypherpunks.ca Fri Dec 29 10:35:30 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 29 Dec 2006 10:35:30 -0500 Subject: [OTR-users] some questions In-Reply-To: <45952604.2090303@freenet.de> References: <45952604.2090303@freenet.de> Message-ID: <20061229153530.GI5765@yoink.cs.uwaterloo.ca> On Fri, Dec 29, 2006 at 03:28:20PM +0100, readytogo2 wrote: > > > The Miranda plugin isn't by the same developers as the library, gaim > > > plugin, and the proxy. I personally have no opinion about that code, > > > since I don't even have a way to try it out. > Well, if you don`t want to try it out it`s ok. But I am sure you *can* > try it. I am everything else but a *nix expert, but I could run miranda > under wine (ubuntu). Fair enough. But of course, just trying it out won't tell you anything about what's going on under the hood. > >> >> 2. > >> >> Will you add deniability or perfect forward secrecy to the gaim plugin > >> >> in the future? > > > > > > ?? The gaim plugin has had those features since day 1. Or am I > > > misunderstanding your question? > >From otr page faq: " > How is this different from the gaim-encryption plugin? > The gaim-encryption plugin provides encryption and authentication, but > not deniability or perfect forward secrecy. If an attacker or a virus > gets access to your machine, all of your past gaim-encryption > conversations are retroactively compromised. Further, since all of the > messages are digitally signed, there is difficult-to-deny proof that you > said what you did: not what we want for a supposedly private conversation!" > > That`s why I asked if you are going to add this feature in the future. Huh? We didn't write the gaim-encryption plugin; that's a totally separate piece of software. This FAQ entry is just *comparing* the features of gaim-otr to those of gaim-encryption. gaim-otr has all of the features of otr, including deniability and perfect forward secrecy. > >> >> 3. > >> >> I am using miranda/gaim plugin, can I save or export my > fingerprint? If > >> >> I want to user another client, another accountname or the proxy can I > >> >> use my old "identy" anyway so my contact doesn`t need to trust a new > >> >> fingerprint? > > > > > > There's no explicit way to do it at the moment (with the main plugin, > > > anyway), but copying the otr.private_key file around should work. > I think to use the proxy would be the best way for everyone right now? > Is the proxy portable? I also don`t know what is compatible to each > other. :( Any software that uses libotr should have compatible otr.private_key files; I don't think switching to the proxy would change this situation at all. > >> >> 4. > >> >> A contact of mine is using trillian. I could convince him at least to > >> >> you the otr plugin (not the otr proxy! not secure im!) (I think this > >> >> there http://trillianotr.kittyfox.net/.) and I am using the miranda > >> >> plugin. From miranda to miranda otr chat`s work great but to > trillian I > >> >> see html tags all the time. Can this be fixed? > > > > > > I've heard of this problem before, even *without* otr. It seems > > > Trillian uses its own custom markup language instead of html (which all > > > other clients use). I'm guessing there's a way to fix this, since it > > > certainly can't be the case that all Trillian users see html tags all > > > the time, but you'd have to ask someone who uses Trillian. > Not the Trillian user see html tags, the miranda user does (me). Well, > nvm I don`t get why someone need to use Tril if there are enugh free und > better alternatives. > > I tested to chat with my self from Gaim (OTR Plugin) to Miranda (OTR > Plugin), there is almost the same errror. [SIZE=10]..Message..[/SIZE] > Perhaps the Miranda OTR Plugin is broken. Maybe I should use the proxy > instant. I must have had it backwards in my mind, then. Perhaps it's Miranda that uses the "square brackets" markup language. - Ian From readytogo2 at freenet.de Fri Dec 29 12:28:00 2006 From: readytogo2 at freenet.de (readytogo2) Date: Fri, 29 Dec 2006 18:28:00 +0100 Subject: [OTR-users] some questions In-Reply-To: <20061229153530.GI5765@yoink.cs.uwaterloo.ca> References: <45952604.2090303@freenet.de> <20061229153530.GI5765@yoink.cs.uwaterloo.ca> Message-ID: <45955020.3030004@freenet.de> Ian Goldberg schrieb: > On Fri, Dec 29, 2006 at 03:28:20PM +0100, readytogo2 wrote: >>>> The Miranda plugin isn't by the same developers as the library, gaim >>>> plugin, and the proxy. I personally have no opinion about that code, >>>> since I don't even have a way to try it out. >> Well, if you don`t want to try it out it`s ok. But I am sure you *can* >> try it. I am everything else but a *nix expert, but I could run miranda >> under wine (ubuntu). > > Fair enough. But of course, just trying it out won't tell you anything > about what's going on under the hood. True, but if there is no offical statement from otr developers yet it`s therefore not suggestable right now? >>>>>> 2. >>>>>> Will you add deniability or perfect forward secrecy to the gaim plugin >>>>>> in the future? >>>> ?? The gaim plugin has had those features since day 1. Or am I >>>> misunderstanding your question? >> >From otr page faq: " >> How is this different from the gaim-encryption plugin? >> The gaim-encryption plugin provides encryption and authentication, but >> not deniability or perfect forward secrecy. If an attacker or a virus >> gets access to your machine, all of your past gaim-encryption >> conversations are retroactively compromised. Further, since all of the >> messages are digitally signed, there is difficult-to-deny proof that you >> said what you did: not what we want for a supposedly private conversation!" >> >> That`s why I asked if you are going to add this feature in the future. > > Huh? We didn't write the gaim-encryption plugin; that's a totally > separate piece of software. This FAQ entry is just *comparing* the > features of gaim-otr to those of gaim-encryption. gaim-otr has all of > the features of otr, including deniability and perfect forward secrecy. Ah, I missunderstod this. The page says gaim-encryption and not just gaim-plugin. >>>>>> 3. >>>>>> I am using miranda/gaim plugin, can I save or export my >> fingerprint? If >>>>>> I want to user another client, another accountname or the proxy can I >>>>>> use my old "identy" anyway so my contact doesn`t need to trust a new >>>>>> fingerprint? >>>> There's no explicit way to do it at the moment (with the main plugin, >>>> anyway), but copying the otr.private_key file around should work. >> I think to use the proxy would be the best way for everyone right now? >> Is the proxy portable? I also don`t know what is compatible to each >> other. :( > > Any software that uses libotr should have compatible otr.private_key > files; I don't think switching to the proxy would change this situation > at all. The proxys isn`t avalible for windows? What would you suggest to use? - using jabber + ssl - using gaim + gaim-otr - using miranda (I prefer it because it supports transport agents and mroe easy server registration) + miranda-otr-plugin ? Or is game + gaim-otr the only suggastable way to chat encrypted? I mean the gaim plugin is easy enugh to install for everyone. Please allow me a question, this question should not sound mad. But why do you invetigate your skills and time in developing OTR localhost AIM proxy? Propritaery like Aim, Icq & Msn (maybe Skype aswell) are Freeware, not open source, don`t have a checkable secure way to add encryption by standard and will never have it and reserve itself the right to log, save, observe, use, ... messages sent over their service. Them could disallow to send encrypted messages over their service at any time. Some of those messengers already banned transport agents or disallowed in their user agreement to use native clients. If two people are using aim and beginn to care about privacy and security should use jabber instant because it is free and there are already cross platform, portable, checkable and secure ways to chat with each other (gaim-otr). Imho to investigate work in free protocolls has more future. From ian at cypherpunks.ca Fri Dec 29 13:02:23 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 29 Dec 2006 13:02:23 -0500 Subject: [OTR-users] some questions In-Reply-To: <45955020.3030004@freenet.de> References: <45952604.2090303@freenet.de> <20061229153530.GI5765@yoink.cs.uwaterloo.ca> <45955020.3030004@freenet.de> Message-ID: <20061229180223.GL5765@yoink.cs.uwaterloo.ca> On Fri, Dec 29, 2006 at 06:28:00PM +0100, readytogo2 wrote: > > Fair enough. But of course, just trying it out won't tell you anything > > about what's going on under the hood. > True, but if there is no offical statement from otr developers yet it`s > therefore not suggestable right now? I don't think it's even our place to recommend or contraindicate the use of specific third-party software. All I can say is that I personally don't use it, and I've never looked at the code. > >>>> There's no explicit way to do it at the moment (with the main plugin, > >>>> anyway), but copying the otr.private_key file around should work. > >> I think to use the proxy would be the best way for everyone right now? > >> Is the proxy portable? I also don`t know what is compatible to each > >> other. :( > > > > Any software that uses libotr should have compatible otr.private_key > > files; I don't think switching to the proxy would change this situation > > at all. > The proxys isn`t avalible for windows? The proxy runs on Linux, Windows, and OS X. > What would you suggest to use? > - using jabber + ssl > - using gaim + gaim-otr > - using miranda (I prefer it because it supports transport agents and > mroe easy server registration) + miranda-otr-plugin > ? jabber + ssl doesn't provide the same security properties as otr; most noticeably, the jabber server can still read (or modify) all of your messages. I personally use gaim + gaim-otr; that's my primary development target. > Or is game + gaim-otr the only suggastable way to chat encrypted? I mean > the gaim plugin is easy enugh to install for everyone. As I said, that's what I use. OS X users have another great option: Adium X. It's got OTR support built right in. > Please allow me a question, this question should not sound mad. But why > do you invetigate your skills and time in developing OTR localhost AIM > proxy? Propritaery like Aim, Icq & Msn (maybe Skype aswell) are > Freeware, not open source, don`t have a checkable secure way to add > encryption by standard and will never have it and reserve itself the > right to log, save, observe, use, ... messages sent over their service. > > Them could disallow to send encrypted messages over their service at any > time. Some of those messengers already banned transport agents or > disallowed in their user agreement to use native clients. The primary reason to write the proxy was so that iChat users could use OTR. At the time, iChat was AIM-only. > If two people are using aim and beginn to care about privacy and > security should use jabber instant because it is free and there are > already cross platform, portable, checkable and secure ways to chat with > each other (gaim-otr). Imho to investigate work in free protocolls has > more future. One of the primary characteristics of so-called "useful security and privacy technologies" is that they can give users benefit, without the users having to significantly change the way they do things. (For if they were forced to, they usually just forego the technology altogether.) Telling people "switch to Jabber" is a non-solution, since people won't do it. Even telling people "switch to using gaim" is tough. The proxy allows people to continue using whatever client they're most comfortable with, until OTR support gets added natively. I agree that open protocols as the Right Way to go in the future (and you'll notice that OTR itself is fully specified and open), but that's not where IM users are now, and we want to help as many people as we can today. We don't have to choose between them; OTR works on AIM, MSN, ICQ, and Jabber alike. - Ian From readytogo2 at freenet.de Fri Dec 29 18:12:37 2006 From: readytogo2 at freenet.de (readytogo2) Date: Sat, 30 Dec 2006 00:12:37 +0100 Subject: [OTR-users] some questions In-Reply-To: <20061229180223.GL5765@yoink.cs.uwaterloo.ca> References: <45952604.2090303@freenet.de> <20061229153530.GI5765@yoink.cs.uwaterloo.ca> <45955020.3030004@freenet.de> <20061229180223.GL5765@yoink.cs.uwaterloo.ca> Message-ID: <4595A0E5.7080606@freenet.de> Ian Goldberg wrote: > On Fri, Dec 29, 2006 at 06:28:00PM +0100, readytogo2 wrote: >>> Fair enough. But of course, just trying it out won't tell you anything >>> about what's going on under the hood. >> True, but if there is no offical statement from otr developers yet it`s >> therefore not suggestable right now? > > I don't think it's even our place to recommend or contraindicate the use > of specific third-party software. All I can say is that I personally > don't use it, and I've never looked at the code. Where elese could be a place to recomand or contraindicate? :) Do you want OTR to be a high compatible system? You want that many people use it? Or just that interested people can easy use it? >>>>>> There's no explicit way to do it at the moment (with the main plugin, >>>>>> anyway), but copying the otr.private_key file around should work. >>>> I think to use the proxy would be the best way for everyone right now? >>>> Is the proxy portable? I also don`t know what is compatible to each >>>> other. :( >>> Any software that uses libotr should have compatible otr.private_key >>> files; I don't think switching to the proxy would change this situation >>> at all. >> The proxys isn`t avalible for windows? > > The proxy runs on Linux, Windows, and OS X. You mean the aim proxy? I don`t see for OTR library and toolkit a windows built. >> What would you suggest to use? >> - using jabber + ssl >> - using gaim + gaim-otr >> - using miranda (I prefer it because it supports transport agents and >> mroe easy server registration) + miranda-otr-plugin >> ? > > jabber + ssl doesn't provide the same security properties as otr; most > noticeably, the jabber server can still read (or modify) all of your > messages. Yes, sure the ssl doesn`t make it uber secure. But as far I can imagine this it will make it even harder for someone who tryes to comprimise the system. >> Please allow me a question, this question should not sound mad. But why >> do you invetigate your skills and time in developing OTR localhost AIM >> proxy? Propritaery like Aim, Icq & Msn (maybe Skype aswell) are >> Freeware, not open source, don`t have a checkable secure way to add >> encryption by standard and will never have it and reserve itself the >> right to log, save, observe, use, ... messages sent over their service. >> >> Them could disallow to send encrypted messages over their service at any >> time. Some of those messengers already banned transport agents or >> disallowed in their user agreement to use native clients. > > The primary reason to write the proxy was so that iChat users could use > OTR. At the time, iChat was AIM-only. > >> If two people are using aim and beginn to care about privacy and >> security should use jabber instant because it is free and there are >> already cross platform, portable, checkable and secure ways to chat with >> each other (gaim-otr). Imho to investigate work in free protocolls has >> more future. > One of the primary characteristics of so-called "useful security and > privacy technologies" is that they can give users benefit, without the > users having to significantly change the way they do things. (For if > they were forced to, they usually just forego the technology > altogether.) Telling people "switch to Jabber" is a non-solution, since > people won't do it. Even telling people "switch to using gaim" is > tough. The proxy allows people to continue using whatever client > they're most comfortable with, until OTR support gets added natively. > I agree that open protocols as the Right Way to go in the future (and > you'll notice that OTR itself is fully specified and open), but that's > not where IM users are now, and we want to help as many people as we can > today. We don't have to choose between them; OTR works on AIM, MSN, > ICQ, and Jabber alike. I am already convinced. I like OTR. Which target do you want to reach with your project? Do you want some translations of your website? I also would like to see many people using it, a great website (example ubuntu.com) with wiki and forum. From ian at cypherpunks.ca Fri Dec 29 19:47:54 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 29 Dec 2006 19:47:54 -0500 Subject: [OTR-users] some questions In-Reply-To: <4595A0E5.7080606@freenet.de> References: <45952604.2090303@freenet.de> <20061229153530.GI5765@yoink.cs.uwaterloo.ca> <45955020.3030004@freenet.de> <20061229180223.GL5765@yoink.cs.uwaterloo.ca> <4595A0E5.7080606@freenet.de> Message-ID: <20061230004754.GN5765@yoink.cs.uwaterloo.ca> On Sat, Dec 30, 2006 at 12:12:37AM +0100, readytogo2 wrote: > Ian Goldberg wrote: > > On Fri, Dec 29, 2006 at 06:28:00PM +0100, readytogo2 wrote: > >>> Fair enough. But of course, just trying it out won't tell you anything > >>> about what's going on under the hood. > >> True, but if there is no offical statement from otr developers yet it`s > >> therefore not suggestable right now? > > > > I don't think it's even our place to recommend or contraindicate the use > > of specific third-party software. All I can say is that I personally > > don't use it, and I've never looked at the code. > Where elese could be a place to recomand or contraindicate? :) Other users, and possibly the author, would have a more meaningful opinion than I would, for sure. > Do you want OTR to be a high compatible system? You want that many > people use it? Or just that interested people can easy use it? We want lots of people to use it. In the best case, they shouldn't even necessarily be *aware* they're using it (as in Adium X). > > The proxy runs on Linux, Windows, and OS X. > > You mean the aim proxy? Yes. > I don`t see for OTR library and toolkit a windows built. The Windows binaries of the toolkit are bundled with the Windows applications (otrproxy and gaim-otr). There are no binary builds of the library; you get source for that. (You get source for the toolkit, too, of course.) > > jabber + ssl doesn't provide the same security properties as otr; most > > noticeably, the jabber server can still read (or modify) all of your > > messages. > Yes, sure the ssl doesn`t make it uber secure. But as far I can imagine > this it will make it even harder for someone who tryes to comprimise the > system. Unless that someone runs your Jabber server. - Ian From perrin at apotheon.com Fri Dec 29 20:04:48 2006 From: perrin at apotheon.com (Chad Perrin) Date: Fri, 29 Dec 2006 18:04:48 -0700 Subject: [OTR-users] some questions In-Reply-To: <20061230004754.GN5765@yoink.cs.uwaterloo.ca> References: <45952604.2090303@freenet.de> <20061229153530.GI5765@yoink.cs.uwaterloo.ca> <45955020.3030004@freenet.de> <20061229180223.GL5765@yoink.cs.uwaterloo.ca> <4595A0E5.7080606@freenet.de> <20061230004754.GN5765@yoink.cs.uwaterloo.ca> Message-ID: <20061230010448.GB2688@apotheon.com> On Fri, Dec 29, 2006 at 07:47:54PM -0500, Ian Goldberg wrote: > > We want lots of people to use it. In the best case, they shouldn't even > necessarily be *aware* they're using it (as in Adium X). That seems sorta improbable. How do you verify a key without knowing you're using it? -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] "A script is what you give the actors. A program is what you give the audience." - Larry Wall From ian at cypherpunks.ca Fri Dec 29 22:56:49 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 29 Dec 2006 22:56:49 -0500 Subject: [OTR-users] some questions In-Reply-To: <20061230010448.GB2688@apotheon.com> References: <45952604.2090303@freenet.de> <20061229153530.GI5765@yoink.cs.uwaterloo.ca> <45955020.3030004@freenet.de> <20061229180223.GL5765@yoink.cs.uwaterloo.ca> <4595A0E5.7080606@freenet.de> <20061230004754.GN5765@yoink.cs.uwaterloo.ca> <20061230010448.GB2688@apotheon.com> Message-ID: <20061230035649.GO5765@yoink.cs.uwaterloo.ca> On Fri, Dec 29, 2006 at 06:04:48PM -0700, Chad Perrin wrote: > On Fri, Dec 29, 2006 at 07:47:54PM -0500, Ian Goldberg wrote: > > > > We want lots of people to use it. In the best case, they shouldn't even > > necessarily be *aware* they're using it (as in Adium X). > > That seems sorta improbable. How do you verify a key without knowing > you're using it? You don't. But even if they don't verify the key, they're not worse off than if they don't use OTR at all. That's the benefit of opportunistic encryption; if you don't know it's there, you're still no worse off than if it wasn't there, and you're better off against at least passive adversaries. - Ian From perrin at apotheon.com Sat Dec 30 03:16:55 2006 From: perrin at apotheon.com (Chad Perrin) Date: Sat, 30 Dec 2006 01:16:55 -0700 Subject: [OTR-users] some questions In-Reply-To: <20061230035649.GO5765@yoink.cs.uwaterloo.ca> References: <45952604.2090303@freenet.de> <20061229153530.GI5765@yoink.cs.uwaterloo.ca> <45955020.3030004@freenet.de> <20061229180223.GL5765@yoink.cs.uwaterloo.ca> <4595A0E5.7080606@freenet.de> <20061230004754.GN5765@yoink.cs.uwaterloo.ca> <20061230010448.GB2688@apotheon.com> <20061230035649.GO5765@yoink.cs.uwaterloo.ca> Message-ID: <20061230081654.GA6802@apotheon.com> On Fri, Dec 29, 2006 at 10:56:49PM -0500, Ian Goldberg wrote: > On Fri, Dec 29, 2006 at 06:04:48PM -0700, Chad Perrin wrote: > > On Fri, Dec 29, 2006 at 07:47:54PM -0500, Ian Goldberg wrote: > > > > > > We want lots of people to use it. In the best case, they shouldn't even > > > necessarily be *aware* they're using it (as in Adium X). > > > > That seems sorta improbable. How do you verify a key without knowing > > you're using it? > > You don't. But even if they don't verify the key, they're not worse off > than if they don't use OTR at all. That's the benefit of opportunistic > encryption; if you don't know it's there, you're still no worse off than > if it wasn't there, and you're better off against at least passive > adversaries. Well . . . yeah, you have a point, there. I tend to try to get verified with everyone*, though. I'm sure I'm no more paranoid than most of the rest of the people on this list, regardless. * Everyone that uses Gaim-OTR, that is. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] print substr("Just another Perl hacker", 0, -2); From mail at scottellis.com.au Sat Dec 30 09:41:18 2006 From: mail at scottellis.com.au (Scott Ellis) Date: Sun, 31 Dec 2006 01:41:18 +1100 Subject: [OTR-users] some questions In-Reply-To: <20061230081654.GA6802@apotheon.com> References: <45952604.2090303@freenet.de> <20061229153530.GI5765@yoink.cs.uwaterloo.ca> <45955020.3030004@freenet.de> <20061229180223.GL5765@yoink.cs.uwaterloo.ca> <4595A0E5.7080606@freenet.de> <20061230004754.GN5765@yoink.cs.uwaterloo.ca> <20061230010448.GB2688@apotheon.com> <20061230035649.GO5765@yoink.cs.uwaterloo.ca> <20061230081654.GA6802@apotheon.com> Message-ID: <96e269140612300641h64d2904bx83e71fe87201d685@mail.gmail.com> regarding the html tags observed by miranda users: miranda does under certain circumstances (depending on which messaging plugins etc are in use) understand the 'square brackets markup' ("bbcodes") - but does not undertstand html natively it is my understanding (please correct me if i'm wrong) that both trillian and gaim undertstand html natively my position is that this is a gaim/trillian error - html tags are not supported by most im protocols - to my knowledge only AIM allows and prescribes that clients understand these tags. the AIM miranda pluigin has recently been altered to allow the OTR plugin the opportunity to decript messages before these tags are filtered by the protocol plugin - so at least for AIM this issue should have been resolved (note that there is an additional complication here when using the 'metacontacts' plugin that has also been resolved in the most recent release) i am led to beleive that for other protocols (e.g. icq etc) trillian and gaim should not be trasnmitting these tags with the expectation that other clients will understand them a not insignificant amount of re-engineering was required with OTR/AIM/Miranda to allow correct operation - i am not at all familiar with the information path under trillian/gaim but i would not be at all surprised if there are architectural issues when it comes to decription of messages and the access plugins/protocols have as they make there way from the network level to the UI level Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: From readytogo2 at freenet.de Sat Dec 30 12:42:11 2006 From: readytogo2 at freenet.de (readytogo2) Date: Sat, 30 Dec 2006 18:42:11 +0100 Subject: [OTR-users] some questions In-Reply-To: <96e269140612300641h64d2904bx83e71fe87201d685@mail.gmail.com> References: <45952604.2090303@freenet.de> <20061229153530.GI5765@yoink.cs.uwaterloo.ca> <45955020.3030004@freenet.de> <20061229180223.GL5765@yoink.cs.uwaterloo.ca> <4595A0E5.7080606@freenet.de> <20061230004754.GN5765@yoink.cs.uwaterloo.ca> <20061230010448.GB2688@apotheon.com> <20061230035649.GO5765@yoink.cs.uwaterloo.ca> <20061230081654.GA6802@apotheon.com> <96e269140612300641h64d2904bx83e71fe87201d685@mail.gmail.com> Message-ID: <4596A4F3.4010207@freenet.de> Scott Ellis schrieb: > regarding the html tags observed by miranda users: > > miranda does under certain circumstances (depending on which messaging > plugins etc are in use) understand the 'square brackets markup' ("bbcodes") > - but does not undertstand html natively > > it is my understanding (please correct me if i'm wrong) that both trillian > and gaim undertstand html natively > > my position is that this is a gaim/trillian error - html tags are not > supported by most im protocols - to my knowledge only AIM allows and > prescribes that clients understand these tags. the AIM miranda pluigin has > recently been altered to allow the OTR plugin the opportunity to decript > messages before these tags are filtered by the protocol plugin - so at > least > for AIM this issue should have been resolved (note that there is an > additional complication here when using the 'metacontacts' plugin that has > also been resolved in the most recent release) > > i am led to beleive that for other protocols (e.g. icq etc) trillian and > gaim should not be trasnmitting these tags with the expectation that other > clients will understand them > > a not insignificant amount of re-engineering was required with > OTR/AIM/Miranda to allow correct operation - i am not at all familiar with > the information path under trillian/gaim but i would not be at all > surprised > if there are architectural issues when it comes to decription of messages > and the access plugins/protocols have as they make there way from the > network level to the UI level > > Scott > This sounds very complicated. In order to fix this isusse who would be responsible? Afaik miranda is still in active developement I feel this problem should be reported and should/could be fixed. I have no idea if this has been reportet yet. I just thought it`s the best way to ask first here, because this problem happens since OTR is enabeld. From perrin at apotheon.com Sat Dec 30 13:27:38 2006 From: perrin at apotheon.com (Chad Perrin) Date: Sat, 30 Dec 2006 11:27:38 -0700 Subject: [OTR-users] some questions In-Reply-To: <96e269140612300641h64d2904bx83e71fe87201d685@mail.gmail.com> References: <45952604.2090303@freenet.de> <20061229153530.GI5765@yoink.cs.uwaterloo.ca> <45955020.3030004@freenet.de> <20061229180223.GL5765@yoink.cs.uwaterloo.ca> <4595A0E5.7080606@freenet.de> <20061230004754.GN5765@yoink.cs.uwaterloo.ca> <20061230010448.GB2688@apotheon.com> <20061230035649.GO5765@yoink.cs.uwaterloo.ca> <20061230081654.GA6802@apotheon.com> <96e269140612300641h64d2904bx83e71fe87201d685@mail.gmail.com> Message-ID: <20061230182738.GA13302@apotheon.com> On Sun, Dec 31, 2006 at 01:41:18AM +1100, Scott Ellis wrote: > regarding the html tags observed by miranda users: > > miranda does under certain circumstances (depending on which messaging > plugins etc are in use) understand the 'square brackets markup' ("bbcodes") > - but does not undertstand html natively > > it is my understanding (please correct me if i'm wrong) that both trillian > and gaim undertstand html natively > > my position is that this is a gaim/trillian error - html tags are not > supported by most im protocols - to my knowledge only AIM allows and > prescribes that clients understand these tags. the AIM miranda pluigin has > recently been altered to allow the OTR plugin the opportunity to decript > messages before these tags are filtered by the protocol plugin - so at least > for AIM this issue should have been resolved (note that there is an > additional complication here when using the 'metacontacts' plugin that has > also been resolved in the most recent release) This strikes me as a "gaim/trillian/miranda/everybody" error. To provide unsurprising behavior that enables, rather than restricting, the user, they should all be liberal in what they'll accept and strict in what they'll emit. In other words, none of them should be showing a bunch of markup in your incoming messages, and all of them should adhere to protocol specifications carefully when encoding messages. Of course, they should all be fairly configurable in the above behavior to suit the user's preferences as well, but that's more of a feature than a fundamental "get it right" mandate. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] "The first rule of magic is simple. Don't waste your time waving your hands and hopping when a rock or a club will do." - McCloctnick the Lucid From ian at cypherpunks.ca Sat Dec 30 14:02:31 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Sat, 30 Dec 2006 14:02:31 -0500 Subject: [OTR-users] some questions In-Reply-To: <20061230182738.GA13302@apotheon.com> References: <20061229153530.GI5765@yoink.cs.uwaterloo.ca> <45955020.3030004@freenet.de> <20061229180223.GL5765@yoink.cs.uwaterloo.ca> <4595A0E5.7080606@freenet.de> <20061230004754.GN5765@yoink.cs.uwaterloo.ca> <20061230010448.GB2688@apotheon.com> <20061230035649.GO5765@yoink.cs.uwaterloo.ca> <20061230081654.GA6802@apotheon.com> <96e269140612300641h64d2904bx83e71fe87201d685@mail.gmail.com> <20061230182738.GA13302@apotheon.com> Message-ID: <20061230190231.GQ5765@yoink.cs.uwaterloo.ca> On Sat, Dec 30, 2006 at 11:27:38AM -0700, Chad Perrin wrote: > This strikes me as a "gaim/trillian/miranda/everybody" error. To > provide unsurprising behavior that enables, rather than restricting, the > user, they should all be liberal in what they'll accept and strict in > what they'll emit. In other words, none of them should be showing a > bunch of markup in your incoming messages, and all of them should adhere > to protocol specifications carefully when encoding messages. Of course, the problem here is that *there is no specification*. These are closed protocols, and the closest you can come is to see what the "official" clients do, and try to emulate that. - Ian From perrin at apotheon.com Sat Dec 30 18:18:25 2006 From: perrin at apotheon.com (Chad Perrin) Date: Sat, 30 Dec 2006 16:18:25 -0700 Subject: [OTR-users] some questions In-Reply-To: <20061230190231.GQ5765@yoink.cs.uwaterloo.ca> References: <45955020.3030004@freenet.de> <20061229180223.GL5765@yoink.cs.uwaterloo.ca> <4595A0E5.7080606@freenet.de> <20061230004754.GN5765@yoink.cs.uwaterloo.ca> <20061230010448.GB2688@apotheon.com> <20061230035649.GO5765@yoink.cs.uwaterloo.ca> <20061230081654.GA6802@apotheon.com> <96e269140612300641h64d2904bx83e71fe87201d685@mail.gmail.com> <20061230182738.GA13302@apotheon.com> <20061230190231.GQ5765@yoink.cs.uwaterloo.ca> Message-ID: <20061230231825.GB14191@apotheon.com> On Sat, Dec 30, 2006 at 02:02:31PM -0500, Ian Goldberg wrote: > On Sat, Dec 30, 2006 at 11:27:38AM -0700, Chad Perrin wrote: > > This strikes me as a "gaim/trillian/miranda/everybody" error. To > > provide unsurprising behavior that enables, rather than restricting, the > > user, they should all be liberal in what they'll accept and strict in > > what they'll emit. In other words, none of them should be showing a > > bunch of markup in your incoming messages, and all of them should adhere > > to protocol specifications carefully when encoding messages. > > Of course, the problem here is that *there is no specification*. These > are closed protocols, and the closest you can come is to see what the > "official" clients do, and try to emulate that. Of course, in such circumstances you must simply get as close as possible. The principle itself still holds, though. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] "It's just incredible that a trillion-synapse computer could actually spend Saturday afternoon watching a football game." - Marvin Minsky