From senatorfrog@gmail.com  Fri Mar  2 03:38:34 2007
From: senatorfrog@gmail.com (Mark Senior)
Date: Thu, 1 Mar 2007 20:38:34 -0700
Subject: [OTR-users] otr-proxy and iChat
Message-ID: <70f230c70703011938p6d7f1547tc8a12cd97b6d366f@mail.gmail.com>

Hello list

I've looked back through the list for the last couple of months and
not noted any feedback on using OTR Proxy.app on OS X, with iChat.

In case any of this is platform sensitive - I'm using OS X 10.4.8 on
an Intel iMac.

As it is right now, it's probably not usable to most Mac users.  I
tried to run the app in the usual Mac-y way, by double clicking on the
icon from the Applications folder.  The GUI starts up, and everything
seems fine.  I then logged out of iChat, set the preferences to use
localhost:8080 as an HTTP proxy, and tried to connect.  At this point,
the connection process seemed to hang for about a minute, and then it
gave up and went to the "disconnected" state.

I tried quitting OTR Proxy and relaunched it, but it objected that it
was unable to listen on ports 1080 and 8080, because another process
already had them.  I quit OTR Proxy again, ran "lsof -i" and sure
enough there was a running process hanging around (maybe it doesn't
clean up its child processes?).  So, there's bug number one.

But even with the lingering process killed, it still can't connect.
Figuring I might get some debug info, I cd'd into /Applications/OTR\
Proxy/Contents/MacOS/ and ran the executable at the terminal.  Having
done that, the connection worked fine!  So, bug number two - does OTR
Proxy maybe require a tty to write to?

Generating the private key seemed to work well at that point.  Now, I
just have to wait for someone to come on line so I can try chatting
with them...

Regards
Mark

From samslists@gmail.com  Fri Mar  2 06:43:34 2007
From: samslists@gmail.com (Sam's Lists)
Date: Thu, 1 Mar 2007 22:43:34 -0800
Subject: [OTR-users] Verifying when one user has gaim and one adium.
Message-ID: <558124520703012243x2947f7d7l605a0dbdbc54a644@mail.gmail.com>

------=_Part_53792_30371646.1172817814088
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

It's a piece of cake to verify with someone over the phone when both of us
are running gaim.

But Adium seems very different.  It seems to want to verify the session id.
I can't figure out by talking on the phone to this mac user where to have
her look for her fingerprint.

Has anyone else used both adium and gaim.  Why can't the verification
process be exactly the same?  All this confusion can cause errors.

------=_Part_53792_30371646.1172817814088
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

It&#39;s a piece of cake to verify with someone over the phone when both of us are running gaim.<br><br>But Adium seems very different.&nbsp; It seems to want to verify the session id.&nbsp; I can&#39;t figure out by talking on the phone to this mac user where to have her look for her fingerprint.
<br><br>Has anyone else used both adium and gaim.&nbsp; Why can&#39;t the verification process be exactly the same?&nbsp; All this confusion can cause errors.<br>

------=_Part_53792_30371646.1172817814088--

From galenz@zinkconsulting.com  Sun Mar  4 22:01:23 2007
From: galenz@zinkconsulting.com (galenz@zinkconsulting.com)
Date: Sun, 4 Mar 2007 14:01:23 -0800
Subject: [OTR-users] otr-proxy and iChat
In-Reply-To: <70f230c70703011938p6d7f1547tc8a12cd97b6d366f@mail.gmail.com>
References: <70f230c70703011938p6d7f1547tc8a12cd97b6d366f@mail.gmail.com>
Message-ID: <757C5610-1321-47E2-8D57-1D44CCF94716@zinkconsulting.com>

I've had a terrible time with this as well, particularly after  
migrating to a MacBook. I couldn't even get a native x86 version to  
build and nobody on the list bothered to post any responses. Aside  
from countless bugs / strange behaviors, particularly prevalent under  
x86, simply having a single PPC app open on an x86-based Mac results  
in significantly increased memory usage.

I ultimately did a manual migration of my information into Adium.  
That has been acceptable, but overall, Adium suffers from excessive  
flexibility and lots of strange behaviors. At least file transfers  
work these days. The only advantage to Adium is integrated OTR, tabs,  
support for multiple IM networks and possibly the auto-accept file  
transfer function. The GUI is super-customizable, but utterly lacking  
in polish and simplicity.

I have considered writing a script to automate the migration from OTR  
Proxy.app to Adium, and possibly back again.

-Galen

On Mar 1, 2007, at 7:38 PM, Mark Senior wrote:

> Hello list
>
> I've looked back through the list for the last couple of months and
> not noted any feedback on using OTR Proxy.app on OS X, with iChat.
>
> In case any of this is platform sensitive - I'm using OS X 10.4.8 on
> an Intel iMac.
>
> As it is right now, it's probably not usable to most Mac users.  I
> tried to run the app in the usual Mac-y way, by double clicking on the
> icon from the Applications folder.  The GUI starts up, and everything
> seems fine.  I then logged out of iChat, set the preferences to use
> localhost:8080 as an HTTP proxy, and tried to connect.  At this point,
> the connection process seemed to hang for about a minute, and then it
> gave up and went to the "disconnected" state.
>
> I tried quitting OTR Proxy and relaunched it, but it objected that it
> was unable to listen on ports 1080 and 8080, because another process
> already had them.  I quit OTR Proxy again, ran "lsof -i" and sure
> enough there was a running process hanging around (maybe it doesn't
> clean up its child processes?).  So, there's bug number one.
>
> But even with the lingering process killed, it still can't connect.
> Figuring I might get some debug info, I cd'd into /Applications/OTR\
> Proxy/Contents/MacOS/ and ran the executable at the terminal.  Having
> done that, the connection worked fine!  So, bug number two - does OTR
> Proxy maybe require a tty to write to?
>
> Generating the private key seemed to work well at that point.  Now, I
> just have to wait for someone to come on line so I can try chatting
> with them...
>
> Regards
> Mark
> _______________________________________________
> OTR-users mailing list
> OTR-users@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-users
>
>


From readytogo2@freenet.de  Sun Mar  4 23:05:04 2007
From: readytogo2@freenet.de (readytogo2)
Date: Mon, 05 Mar 2007 00:05:04 +0100
Subject: [OTR-users] Request for review of Encryption Guide
In-Reply-To: <f4ac21fb0702250207m289ec530weaa3cbb077897072@mail.gmail.com>
References: <f4ac21fb0702250207m289ec530weaa3cbb077897072@mail.gmail.com>
Message-ID: <45EB50A0.8060205@freenet.de>

If you want feedback here better provide a link with a website so people
here don`t need to download something.

You have E-Mail and IM. But there are more ways to communicate. Just
some hints to improve:
- email (pgp by pgp corp and why use openpgp instant (why use os instant))
- telephone (no way for serios encryption for end costumers)
- voip (firewall problems, to many people are behind a router with nat
and not able to open ports, zfone, unusable for end costumers right now
no way to encrypt)
- pc to pc (non voip, example Skype, "encrypted" (closed source),
hardcore obsfucated code, famos because it`s easy and supports good
firewall workarround thought p2p, spyware, security concerns)
- instant messenger chats can be encrypted with pgp aswell (psi, pgp,
why you otr instant)
- otr (very rarly used, no reviews by "encryption god`s")
- otr gaim <-> miranda <-> trillian incompatible problems (barce problem)
- trillian is closed source
- no one seamed to check the source of miranda/trillian otr right now so
I won`t suggest using it
- gaim encryption (difference to otr, reviews?, use otr or gaim encryption?)
- SSL
- sensitive tasks like online banking
- "free webmail account", very bad idea to link to google, google is
known for data miming and has a monopol (search engine), no need to
support it`s monpol
- "Why shall I use encryption if I have nothing to hide?"

From paul@cypherpunks.ca  Mon Mar  5 18:17:09 2007
From: paul@cypherpunks.ca (Paul Wouters)
Date: Mon, 5 Mar 2007 19:17:09 +0100 (CET)
Subject: [OTR-users] Verifying when one user has gaim and one adium.
In-Reply-To: <558124520703012243x2947f7d7l605a0dbdbc54a644@mail.gmail.com>
References: <558124520703012243x2947f7d7l605a0dbdbc54a644@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0703051915520.31066@tla.xelerance.com>

On Thu, 1 Mar 2007, Sam's Lists wrote:

> It's a piece of cake to verify with someone over the phone when both of us
> are running gaim.
>
> But Adium seems very different.  It seems to want to verify the session id.
> I can't figure out by talking on the phone to this mac user where to have
> her look for her fingerprint.
>
> Has anyone else used both adium and gaim.  Why can't the verification
> process be exactly the same?  All this confusion can cause errors.

There is a bug in Adium 0.9 and a different bug in Adium 1.0+. It has been
reported, and I assume they will get to it.

Meanwhile, you're stuck with the confusion of "secure id" and "fingerprint".

Paul

From paul@cypherpunks.ca  Thu Mar 15 22:54:21 2007
From: paul@cypherpunks.ca (Paul Wouters)
Date: Thu, 15 Mar 2007 22:54:21 +0100 (CET)
Subject: [OTR-users] default action for otr button when in "other end finished" state
Message-ID: <Pine.LNX.4.64.0703152249350.10419@tla.xelerance.com>

Today the other party ended their OTR session with me. I was advised
"to do the same". I forgot why the otr client does not handle this
itself. Perhaps the end otr message isn't authenticated?

Anyway, I hit the "end of otr session" button, which of course tried
to refresh the connection, instead of terminating mine, since there
is no "end of otr session" button. There is only the "refresh" button.

Proposal: change the default action of the OTR button to "end" if the
other end closed their OTR session with you.

Paul

From bdm@fenrir.org.uk  Thu Mar 15 23:52:31 2007
From: bdm@fenrir.org.uk (Brian Morrison)
Date: Thu, 15 Mar 2007 22:52:31 +0000
Subject: [OTR-users] default action for otr button when in "other end
 finished" state
In-Reply-To: <Pine.LNX.4.64.0703152249350.10419@tla.xelerance.com>
References: <Pine.LNX.4.64.0703152249350.10419@tla.xelerance.com>
Message-ID: <20070315225231.65f9aa79@peterson.fenrir.org.uk>

On Thu, 15 Mar 2007 22:54:21 +0100 (CET)
Paul Wouters <paul@cypherpunks.ca> wrote:

> Proposal: change the default action of the OTR button to "end" if the
> other end closed their OTR session with you.

Surely this should be automagic, if the other end decides to terminate
the session then the local OTR process must follow suit. If this isn't
authenticated, then the session can easily be reopened by....

...clicking the button to refresh the connection, it's a simple matter
not to do this if the connection has been terminated intentionally ;-)

-- 

Brian Morrison

   "Arguing with an engineer is like wrestling with a pig in the mud;
    after a while you realize you are muddy and the pig is enjoying it."

From gdt@ir.bbn.com  Fri Mar 16 00:51:43 2007
From: gdt@ir.bbn.com (Greg Troxel)
Date: Thu, 15 Mar 2007 19:51:43 -0400
Subject: [OTR-users] default action for otr button when in "other end finished" state
In-Reply-To: <Pine.LNX.4.64.0703152249350.10419@tla.xelerance.com> (Paul
 Wouters's message of "Thu\, 15 Mar 2007 22\:54\:21 +0100 \(CET\)")
References: <Pine.LNX.4.64.0703152249350.10419@tla.xelerance.com>
Message-ID: <rmiodmuoyk0.fsf@fnord.ir.bbn.com>

I agree that in state they-finished-we-haven't ('finished'), clicking
should go to 'not private'.  clicking again would of course try to
negotiate.


-- 
    Greg Troxel <gdt@ir.bbn.com>

From Gilles@Gravier.org  Fri Mar 16 02:13:28 2007
From: Gilles@Gravier.org (Gilles Gravier)
Date: Fri, 16 Mar 2007 02:13:28 +0100
Subject: [OTR-users] default action for otr button when in "other end
 finished" state
In-Reply-To: <20070315225231.65f9aa79@peterson.fenrir.org.uk>
References: <Pine.LNX.4.64.0703152249350.10419@tla.xelerance.com> <20070315225231.65f9aa79@peterson.fenrir.org.uk>
Message-ID: <45F9EF38.2020006@Gravier.org>

I like the idea of automatic termination... but I *WANT* a strong 
notification that this has happened...

Gilles.

Brian Morrison wrote:
> On Thu, 15 Mar 2007 22:54:21 +0100 (CET)
> Paul Wouters <paul@cypherpunks.ca> wrote:
>
>   
>> Proposal: change the default action of the OTR button to "end" if the
>> other end closed their OTR session with you.
>>     
>
> Surely this should be automagic, if the other end decides to terminate
> the session then the local OTR process must follow suit. If this isn't
> authenticated, then the session can easily be reopened by....
>
> ...clicking the button to refresh the connection, it's a simple matter
> not to do this if the connection has been terminated intentionally ;-)
>
>   

-- 
/*Gilles Gravier*/ *=* *Gilles@Gravier.org* <mailto:Gilles@Gravier.org> 
*=* *http://www.gravier.org/*
ICQ : *77488526* 
<http://www.icq.com/whitepages/about_me.php?Uin=77488526> * || *MSN 
Messenger : Gilles@Gravier.org <http://members.msn.com/Gilles@Gravier.org>*
*Skype : ggravier <callto://ggravier>* || *Y! : ggravier 
<http://profiles.yahoo.com/ggravier> || AOL : gillesgravier 
<aim:goim?screenname=gillesgravier>
PGP Key ID : *0x8DE6D026* 
<http://pgp.mit.edu:11371/pks/lookup?search=0x8DE6D026&op=index>
"Chastity is its own punishment." (/Solomon Short/) [/David Gerrold/]
"De toutes les aberrations sexuelles, la chasteté est la plus 
aberrante." [Anatole France]


From ian@cypherpunks.ca  Fri Mar 16 12:40:59 2007
From: ian@cypherpunks.ca (Ian Goldberg)
Date: Fri, 16 Mar 2007 07:40:59 -0400
Subject: [OTR-users] default action for otr button when in "other end finished" state
In-Reply-To: <rmiodmuoyk0.fsf@fnord.ir.bbn.com>
References: <Pine.LNX.4.64.0703152249350.10419@tla.xelerance.com> <rmiodmuoyk0.fsf@fnord.ir.bbn.com>
Message-ID: <20070316114059.GK31195@yoink.cs.uwaterloo.ca>

On Thu, Mar 15, 2007 at 07:51:43PM -0400, Greg Troxel wrote:
> I agree that in state they-finished-we-haven't ('finished'), clicking
> should go to 'not private'.  clicking again would of course try to
> negotiate.

Wait: you're saying sometimes clicking that button should make you go
private, and sometimes it should make you go non-private?  No way.
Clicking that button should *always* (at least try to) put you in
private mode.

Or am I misunderstanding?

   - Ian

From gdt@ir.bbn.com  Fri Mar 16 15:02:50 2007
From: gdt@ir.bbn.com (Greg Troxel)
Date: Fri, 16 Mar 2007 10:02:50 -0400
Subject: [OTR-users] default action for otr button when in "other end finished" state
In-Reply-To: <20070316114059.GK31195@yoink.cs.uwaterloo.ca> (Ian Goldberg's
 message of "Fri\, 16 Mar 2007 07\:40\:59 -0400")
References: <Pine.LNX.4.64.0703152249350.10419@tla.xelerance.com>
 <rmiodmuoyk0.fsf@fnord.ir.bbn.com>
 <20070316114059.GK31195@yoink.cs.uwaterloo.ca>
Message-ID: <rmizm6d70c5.fsf@fnord.ir.bbn.com>

Ian Goldberg <ian@cypherpunks.ca> writes:

> On Thu, Mar 15, 2007 at 07:51:43PM -0400, Greg Troxel wrote:
>> I agree that in state they-finished-we-haven't ('finished'), clicking
>> should go to 'not private'.  clicking again would of course try to
>> negotiate.
>
> Wait: you're saying sometimes clicking that button should make you go
> private, and sometimes it should make you go non-private?  No way.
> Clicking that button should *always* (at least try to) put you in
> private mode.
>
> Or am I misunderstanding?

I tend to configure people for 'require OTR', and thus never click.

But you have a very good point; it's important the actions which might
be reflexive match the user's intent.   Right-click already lets you
do this.

I commented earlier that this isn't my real problem with 'finished'.
It's that trying to send a message in finished just drops the
message.   I don't see any good reason why this shouldn't trigger
negotiation just like sending a message when 'not private' (for peers
set to require).   I understand why, and agree, that it's horribly
broken to send cleartext - but would like not to have to retype what I
sent by mistake.

From paul@cypherpunks.ca  Fri Mar 16 19:10:24 2007
From: paul@cypherpunks.ca (Paul Wouters)
Date: Fri, 16 Mar 2007 19:10:24 +0100 (CET)
Subject: [OTR-users] default action for otr button when in "other end
 finished" state
In-Reply-To: <20070316114059.GK31195@yoink.cs.uwaterloo.ca>
References: <Pine.LNX.4.64.0703152249350.10419@tla.xelerance.com>
 <rmiodmuoyk0.fsf@fnord.ir.bbn.com> <20070316114059.GK31195@yoink.cs.uwaterloo.ca>
Message-ID: <Pine.LNX.4.64.0703161845560.22932@tla.xelerance.com>

On Fri, 16 Mar 2007, Ian Goldberg wrote:

> On Thu, Mar 15, 2007 at 07:51:43PM -0400, Greg Troxel wrote:
> > I agree that in state they-finished-we-haven't ('finished'), clicking
> > should go to 'not private'.  clicking again would of course try to
> > negotiate.
>
> Wait: you're saying sometimes clicking that button should make you go
> private, and sometimes it should make you go non-private?  No way.
> Clicking that button should *always* (at least try to) put you in
> private mode.
>
> Or am I misunderstanding?

No you are not :)

The button can change appearances. As the button is right now, when
the remote has finished the OTR session, the use of our button is
counter-intuitive.  This is not theoretical, this is happening to ME,
and I know what OTR does for me much more then the average user. The
problem is you are told "the user finished his OTR session with you,
you should do the same". Since there is only ONE button available, my
brain leaps to the conclusion "action is required, there is only one
button, therefor hit it". While the correct action in this case is to
RIGHT click and select "end private conversation". This is not good
from a UI perspective.

Though I understand the concerns from a cryptographic perspective.
I understand your fear of the other end closing OTR, and us automatically
following suit and accidentally sending something in the clear - though
that could be avoided by defaulting to "never send something in the clear
per default if we have an OTR key for this person", or simply demanding
a confirmation to send in the clear after the event that the other end
closed our secure communications.

I also understand that the current behaviour is the most fail safe, though
on many occasions I've restarted an OTR session by accident, while I had
nothing to say to this person (they left after all, hence their closing),
and restarted OTR to this person while the person had left his computer.

It makes you wonder about the purpose of closing the OTR session at all.
One reason is if the person goes to work, and has a non-OTR jabber client
client, and the person is now logged in twice. If I have accidentally hit
"refresh" to "end" the person's home connection, I'm now bombarding him
with unreadable messages, another frequent mistake that happens to me,
that would be mitigated a lot by having a text-only version of gaim-otr for
those who cannot use an IM client with GUI in their daily business life :)

So in short, my proposal would be:

If remote send us a "finished OTR session with you" we should either
  a) automatically "end private conversation" BUT upon the first would-be
     plaintext message, block and require confirmation of user for unencrypted send, - OR -
  b) change the OTR button to "end private conversation" button.

For b) the user can either:
     b1) click on "end button" - OTR button changes back to default familiar "Not private" button, AND
         optionally requires the user upon first non-private attempt at sending to confirm plaintext msg, - OR -
     b2) not click on "end" button and type - OTR button does not change, but there is no point attempting
         to send unreadable message, so refrain from sending garbage and attempt to init OTR before sending
         message.
     b3) not do anything and receive either:
       x) - OTR request, change button to normal button
       y) - plaintext, see b2)

Does this make sense?

Some of these issues are normally set by the buddy preferences, but we are missing the option to set the
preference per instance of a buddy. eg Paul/HOME can be "must OTR", while Paul/WORK could be "may OTR".
In practise, the one preference setting per total buddy doesnt work in practise.

This also assumes that the only reason people click "end OTR session" is because they will reappear
shortly elsewhere without OTR. I don't think there is another reason to do this. Because if I am
talking to Ian via OTR, and Ian leaves for work and ends the session, me telling him anything will just
restart the session and display the OTR protected text on his display anyway. No privacy is gained here.

Paul


From adam_zimmerman@sfu.ca  Fri Mar 16 21:49:13 2007
From: adam_zimmerman@sfu.ca (Adam Zimmerman)
Date: Fri, 16 Mar 2007 13:49:13 -0700
Subject: [OTR-users] default action for otr button when in "other end
 finished" state
In-Reply-To: <Pine.LNX.4.64.0703161845560.22932@tla.xelerance.com>
References: <Pine.LNX.4.64.0703152249350.10419@tla.xelerance.com>
 <rmiodmuoyk0.fsf@fnord.ir.bbn.com>
 <20070316114059.GK31195@yoink.cs.uwaterloo.ca>
 <Pine.LNX.4.64.0703161845560.22932@tla.xelerance.com>
Message-ID: <1174078153.5444.9.camel@midnight>

On Fri, 2007-16-03 at 19:10 +0100, Paul Wouters wrote:
> I understand your fear of the other end closing OTR, and us automatically
> following suit and accidentally sending something in the clear - though
> that could be avoided by defaulting to "never send something in the clear
> per default if we have an OTR key for this person", 

There's an obvious counterexample to that solution, which I've noticed
before. I have an AIM contact who uses Adium most of the time, and in
those conversations, OTR works perfectly. But sometimes (not sure why)
she uses the official AIM client, and so our conversations aren't
protected. Your feature would prevent us from talking when that happens.

> or simply demanding
> a confirmation to send in the clear after the event that the other end
> closed our secure communications.

As long as there's a way to do it without a dialog, that sounds OK. One
of my favourite features of newer gaim-otr versions is that there are
very few dialog boxes to get in the way of my conversations.

--
Adam Zimmerman <adam_zimmerman@sfu.ca>

CREATIVITY  - http://mirrors.creativecommons.org/movingimages/Building_on_the_Past.mpg
ALWAYS      - http://www.musiccreators.ca/
BUILDS      - http://www.ubuntu.com/
ON THE PAST - http://www.theopencd.org/
--

 Q:  How many IBM CPU's does it take to execute a job?
A:  Four; three to hold it down, and one to rip its head off.


From mangylj@gmail.com  Sat Mar 17 18:22:56 2007
From: mangylj@gmail.com (Mange)
Date: Sat, 17 Mar 2007 18:22:56 +0100
Subject: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
Message-ID: <e8f2d88b0703171022i65199aa6sb14b766ec593aa9@mail.gmail.com>

Hi,

I've experienced a similar problem as this guy:
http://lists.cypherpunks.ca/pipermail/otr-users/2006-July/000707.html
He is using the AOL protocol, while I'm using Jabber, so it does not
seem to be a problem with the protocol.

Whenever I send my buddy a message through Gaim with OTR on, certain
HTML tags (such as br) gets displayed, quotes and other special
characters get HTML-encoded.

It does not seem to be Gaim that is the problem, as this thread from
the Gaim bug list discerns:
https://sourceforge.net/tracker/?func=detail&atid=100235&aid=1667227&group_id=235

I'm using the latest Gaim and gaim-otr-plugin on a Gentoo box.
My buddy is using the latest (0.6.7) Miranda Unicode version on an XP box.

Does anyone else have this problem, and why does it exist? :]

Cheers,
Mange

From ian@cypherpunks.ca  Sat Mar 17 21:39:00 2007
From: ian@cypherpunks.ca (Ian Goldberg)
Date: Sat, 17 Mar 2007 16:39:00 -0400
Subject: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <e8f2d88b0703171022i65199aa6sb14b766ec593aa9@mail.gmail.com>
References: <e8f2d88b0703171022i65199aa6sb14b766ec593aa9@mail.gmail.com>
Message-ID: <20070317203900.GN31195@yoink.cs.uwaterloo.ca>

On Sat, Mar 17, 2007 at 06:22:56PM +0100, Mange wrote:
> Does anyone else have this problem, and why does it exist? :]

It seems that Miranda is doing HTML-parsing before OTR-decoding, instead
of after.  The plaintext of OTR messages can contain HTML-esque markup,
so the output of the OTR decryption is what needs to be parsed for tags.

   - Ian

From mangylj@gmail.com  Sun Mar 18 13:24:39 2007
From: mangylj@gmail.com (Mange)
Date: Sun, 18 Mar 2007 13:24:39 +0100
Subject: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <e8f2d88b0703180522x1240ba63tf7664f0b93ad0da1@mail.gmail.com>
References: <e8f2d88b0703171022i65199aa6sb14b766ec593aa9@mail.gmail.com>
 <20070317203900.GN31195@yoink.cs.uwaterloo.ca>
 <e8f2d88b0703180522x1240ba63tf7664f0b93ad0da1@mail.gmail.com>
Message-ID: <e8f2d88b0703180524o2626c778me4a0eee0639ef342@mail.gmail.com>

Alright.. So the problem lies within the Miranda client or the Miranda
otr-plugin?

> On 3/17/07, Ian Goldberg <ian@cypherpunks.ca> wrote:
> > On Sat, Mar 17, 2007 at 06:22:56PM +0100, Mange wrote:
> > > Does anyone else have this problem, and why does it exist? :]
> >
> > It seems that Miranda is doing HTML-parsing before OTR-decoding, instead
> > of after.  The plaintext of OTR messages can contain HTML-esque markup,
> > so the output of the OTR decryption is what needs to be parsed for tags.
> >
> >    - Ian
> > _______________________________________________
> > OTR-users mailing list
> > OTR-users@lists.cypherpunks.ca
> > http://lists.cypherpunks.ca/mailman/listinfo/otr-users
> >
>

From ian@cypherpunks.ca  Sun Mar 18 17:28:56 2007
From: ian@cypherpunks.ca (Ian Goldberg)
Date: Sun, 18 Mar 2007 12:28:56 -0400
Subject: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <e8f2d88b0703180524o2626c778me4a0eee0639ef342@mail.gmail.com>
References: <e8f2d88b0703171022i65199aa6sb14b766ec593aa9@mail.gmail.com> <20070317203900.GN31195@yoink.cs.uwaterloo.ca> <e8f2d88b0703180522x1240ba63tf7664f0b93ad0da1@mail.gmail.com> <e8f2d88b0703180524o2626c778me4a0eee0639ef342@mail.gmail.com>
Message-ID: <20070318162856.GO31195@yoink.cs.uwaterloo.ca>

On Sun, Mar 18, 2007 at 01:24:39PM +0100, Mange wrote:
> Alright.. So the problem lies within the Miranda client or the Miranda
> otr-plugin?

Looks like it to me, though I can't tell which.

   - Ian

From mail@scottellis.com.au  Sun Mar 18 23:52:35 2007
From: mail@scottellis.com.au (Scott Ellis)
Date: Mon, 19 Mar 2007 09:52:35 +1100
Subject: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <20070318162856.GO31195@yoink.cs.uwaterloo.ca>
References: <e8f2d88b0703171022i65199aa6sb14b766ec593aa9@mail.gmail.com>
 <20070317203900.GN31195@yoink.cs.uwaterloo.ca>
 <e8f2d88b0703180522x1240ba63tf7664f0b93ad0da1@mail.gmail.com>
 <e8f2d88b0703180524o2626c778me4a0eee0639ef342@mail.gmail.com>
 <20070318162856.GO31195@yoink.cs.uwaterloo.ca>
Message-ID: <96e269140703181552r36b9a87dp15e84c0c72ecca39@mail.gmail.com>

------=_Part_51892_1424775.1174258355159
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

The miranda OTR plugin has the HTML removed from OTR messages, so that's not
the issue.

The miranda AIM plugin removes HTML tags after decryption.

Perhaps your friend needs to update his AIM plugin?

------=_Part_51892_1424775.1174258355159
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

The miranda OTR plugin has the HTML removed from OTR messages, so that&#39;s not the issue.<br><br>The miranda AIM plugin removes HTML tags after decryption.<br><br>Perhaps your friend needs to update his AIM plugin?<br>

------=_Part_51892_1424775.1174258355159--

From lostboy.public@gmail.com  Mon Mar 19 03:59:35 2007
From: lostboy.public@gmail.com (Stephen Perdue)
Date: Mon, 19 Mar 2007 11:59:35 +0900
Subject: [OTR-users] Is Encryption Limited to Text?
Message-ID: <D3DF2575-98FA-4923-9175-877E5EFEE7C2@gmail.com>

Greetings all,

Forgive what may seem a too obvious question.  I read the OTR web  
page top to bottom, browsed the last year of the list archive, and  
scanned the less technical parts of the "Why Not To Use PGP" paper.

Can OTR handle any data that's passed through it (e.g. video chat,  
file transfer), or is it limited specifically to text chat?

The envisioned scenario is iChat + OTR proxy on an Intel MacBook at  
one end and Trillian Pro + OTR plug-in on WinXP at the other, but I'd  
welcome any insights outside those conditions as well.

While I'm at it, it looks two people have reported issues running OTR  
Proxy on Intel MacBooks.  Has anyone else had issues?  Can anyone  
report smooth operation?

If OTR is not suitable, any other suggestions for reasonably private  
video chat?  (I use Skype now but find it a bit flakey.)  I have no  
expectation of selective attack, just everyday privacy concerns.  I  
can live without deniability/forgeability since I'm certainly beneath  
the interest of anyone with the resources to convincingly forge video.

Thanks for reading my question,

Stephen Perdue

From ian@cypherpunks.ca  Mon Mar 19 13:26:59 2007
From: ian@cypherpunks.ca (Ian Goldberg)
Date: Mon, 19 Mar 2007 08:26:59 -0400
Subject: [OTR-users] Is Encryption Limited to Text?
In-Reply-To: <D3DF2575-98FA-4923-9175-877E5EFEE7C2@gmail.com>
References: <D3DF2575-98FA-4923-9175-877E5EFEE7C2@gmail.com>
Message-ID: <20070319122659.GA958@thunk.cs.uwaterloo.ca>

On Mon, Mar 19, 2007 at 11:59:35AM +0900, Stephen Perdue wrote:
> Greetings all,
> 
> Forgive what may seem a too obvious question.  I read the OTR web  
> page top to bottom, browsed the last year of the list archive, and  
> scanned the less technical parts of the "Why Not To Use PGP" paper.
> 
> Can OTR handle any data that's passed through it (e.g. video chat,  
> file transfer), or is it limited specifically to text chat?
> 
> The envisioned scenario is iChat + OTR proxy on an Intel MacBook at  
> one end and Trillian Pro + OTR plug-in on WinXP at the other, but I'd  
> welcome any insights outside those conditions as well.

At this time, OTR only protects your IM messages, not video or file
transfer.  I believe Paul's trying to get someone to work on file
transfer, but I don't know of anyone working on video.  The same
mechanism (use OTR to generate session keys, and encrypt/MAC with them,
publish the MAC key later) would work for both; you may want to rotate
keys now and again for a long video chat.  But I have no idea what the
video chat API looks like, since AFAIK, gaim doesn't support it yet.

> While I'm at it, it looks two people have reported issues running OTR  
> Proxy on Intel MacBooks.  Has anyone else had issues?  Can anyone  
> report smooth operation?

Some people reported that the Motorola code had issues on Intel machines
under emulation, but others found it fine.  Somebody posted a link to a
native Intel binary, though, if I remember correctly.

> If OTR is not suitable, any other suggestions for reasonably private  
> video chat?  (I use Skype now but find it a bit flakey.)  I have no  
> expectation of selective attack, just everyday privacy concerns.  I  
> can live without deniability/forgeability since I'm certainly beneath  
> the interest of anyone with the resources to convincingly forge video.

Back In The Day (the 90's), I used vic for video chat, which supported
at least some encryption (DES at the time).  I bet you'd be hard-pressed
to get it to still work today, though.

   - Ian

From senatorfrog@gmail.com  Mon Mar 19 21:00:46 2007
From: senatorfrog@gmail.com (Mark Senior)
Date: Mon, 19 Mar 2007 14:00:46 -0600
Subject: [OTR-users] Is Encryption Limited to Text?
In-Reply-To: <D3DF2575-98FA-4923-9175-877E5EFEE7C2@gmail.com>
References: <D3DF2575-98FA-4923-9175-877E5EFEE7C2@gmail.com>
Message-ID: <70f230c70703191300t510deae5ib215cf1e1ea1d51c@mail.gmail.com>

On 3/18/07, Stephen Perdue wrote:
> Can OTR handle any data that's passed through it (e.g. video chat,
> file transfer), or is it limited specifically to text chat?
>

You might want to check out zfone.  It seems to work well with iChat
voice & video chat.  There's no iChat configuration needed for the
proxy piece - it actually uses divert sockets at the firewall layer
(which can lead to puzzling results if you have your own firewall
script).

Note though that's it's gratis but not libre - you have to jump
through some silly hoops to get the download, source is unavailable,
and the license doesn't let you redistribute.

Mark

From mangylj@gmail.com  Mon Mar 19 22:31:29 2007
From: mangylj@gmail.com (Mang Ylj)
Date: Mon, 19 Mar 2007 22:31:29 +0100
Subject: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <96e269140703181552r36b9a87dp15e84c0c72ecca39@mail.gmail.com>
References: <e8f2d88b0703171022i65199aa6sb14b766ec593aa9@mail.gmail.com>
 <20070317203900.GN31195@yoink.cs.uwaterloo.ca>
 <e8f2d88b0703180522x1240ba63tf7664f0b93ad0da1@mail.gmail.com>
 <e8f2d88b0703180524o2626c778me4a0eee0639ef342@mail.gmail.com>
 <20070318162856.GO31195@yoink.cs.uwaterloo.ca>
 <96e269140703181552r36b9a87dp15e84c0c72ecca39@mail.gmail.com>
Message-ID: <a7e4e7bb0703191431y2f7b16a9m69caeb5caf61baa4@mail.gmail.com>

------=_Part_70528_2841291.1174339889364
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Well, I'm not using AIM at all, I'm using Jabber.

Are you certain that the Miranda OTR plugin removes all the HTML formatting
from OTR messages?
And why do you know this? :]

It would mean that it would be impossible to send formatted text (for
example colored or bold) across an OTR discussion.



On 3/18/07, Scott Ellis <mail@scottellis.com.au> wrote:
>
> The miranda OTR plugin has the HTML removed from OTR messages, so that's
> not the issue.
>
> The miranda AIM plugin removes HTML tags after decryption.
>
> Perhaps your friend needs to update his AIM plugin?
>

------=_Part_70528_2841291.1174339889364
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Well, I&#39;m not using AIM at all, I&#39;m using Jabber.<br><br>Are you certain that the Miranda OTR plugin removes all the HTML formatting from OTR messages? <br>And why do you know this? :]<br><br>It would mean that it would be impossible to send formatted text (for example colored or bold) across an OTR discussion.
<br><br><br><br><div><span class="gmail_quote">On 3/18/07, <b class="gmail_sendername">Scott Ellis</b> &lt;<a href="mailto:mail@scottellis.com.au">mail@scottellis.com.au</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The miranda OTR plugin has the HTML removed from OTR messages, so that&#39;s not the issue.<br><br>The miranda AIM plugin removes HTML tags after decryption.<br><br>Perhaps your friend needs to update his AIM plugin?<br>
</blockquote></div><br>

------=_Part_70528_2841291.1174339889364--

From readytogo2@freenet.de  Tue Mar 20 13:17:13 2007
From: readytogo2@freenet.de (readytogo2)
Date: Tue, 20 Mar 2007 13:17:13 +0100
Subject: [OTR-users] Is Encryption Limited to Text?
In-Reply-To: <20070319122659.GA958@thunk.cs.uwaterloo.ca>
References: <D3DF2575-98FA-4923-9175-877E5EFEE7C2@gmail.com> <20070319122659.GA958@thunk.cs.uwaterloo.ca>
Message-ID: <45FFD0C9.6060708@freenet.de>

Ian Goldberg schrieb:
> At this time, OTR only protects your IM messages, not video or file
> transfer.  I believe Paul's trying to get someone to work on file
> transfer, but I don't know of anyone working on video.  The same
> mechanism (use OTR to generate session keys, and encrypt/MAC with them,
> publish the MAC key later) would work for both; you may want to rotate
> keys now and again for a long video chat.  But I have no idea what the
> video chat API looks like, since AFAIK, gaim doesn't support it yet.
Video chat is not that important (just right now!) imho. But files and
also voice are!

There is currently really no way to have encrypted pc to pc calls for
everyone (Ok, there is Zfone but it is still beta. Beta means really
beta, it`s not working very well.). That`s really sad. For everyone
means - works for most important operating systems such as windows and
linux, decent and out of the box like gaim/otr.


From mail@scottellis.com.au  Thu Mar 22 07:08:58 2007
From: mail@scottellis.com.au (Scott Ellis)
Date: Thu, 22 Mar 2007 17:08:58 +1100
Subject: Fwd: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <96e269140703211528y60c3c686g1bfd9b7c94f88a9f@mail.gmail.com>
References: <e8f2d88b0703171022i65199aa6sb14b766ec593aa9@mail.gmail.com>
 <e8f2d88b0703180524o2626c778me4a0eee0639ef342@mail.gmail.com>
 <20070318162856.GO31195@yoink.cs.uwaterloo.ca>
 <96e269140703181552r36b9a87dp15e84c0c72ecca39@mail.gmail.com>
 <a7e4e7bb0703191431y2f7b16a9m69caeb5caf61baa4@mail.gmail.com>
 <96e269140703191617h2af85e1fod68cd6c46610ab1c@mail.gmail.com>
 <e8f2d88b0703201337u26b3f300r24bd6ad5e3dcf14d@mail.gmail.com>
 <96e269140703201515y66935b78r96c3083d9656c37a@mail.gmail.com>
 <e8f2d88b0703210417i60fab21exbe3d7ed4c1927f2e@mail.gmail.com>
 <96e269140703211528y60c3c686g1bfd9b7c94f88a9f@mail.gmail.com>
Message-ID: <96e269140703212308m5b859074j1edeefe2eae54f44@mail.gmail.com>

------=_Part_191485_1639108.1174543738573
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

---------- Forwarded message ----------
From: Scott Ellis <mail@scottellis.com.au>
Date: Mar 22, 2007 9:28 AM
Subject: Re: [OTR-users] OTR HTML formatting problem using
Miranda/Gaim/more?
To: Mange <mangylj@gmail.com>

"He is using the AOL protocol, while I'm using Jabber, so it does not
seem to be a problem with the protocol."

Sorry, that sentence from your first post confused me :)

I have forwarded your query to the miranda jabber dev.

------=_Part_191485_1639108.1174543738573
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<br><br>---------- Forwarded message ----------<br><span class="gmail_quote">From: <b class="gmail_sendername">Scott Ellis</b> &lt;<a href="mailto:mail@scottellis.com.au">mail@scottellis.com.au</a>&gt;<br>Date: Mar 22, 2007 9:28 AM
<br>Subject: Re: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?<br>To: Mange &lt;<a href="mailto:mangylj@gmail.com">mangylj@gmail.com</a>&gt;<br><br></span><span class="q">&quot;He is using the AOL protocol, while I&#39;m using Jabber, so it does not
<br>seem to be a problem with the protocol.&quot;<br><br></span>Sorry, that sentence from your first post confused me :)<br><br>I have forwarded your query to the miranda jabber dev.
<br>

------=_Part_191485_1639108.1174543738573--

From mail@scottellis.com.au  Thu Mar 22 07:09:14 2007
From: mail@scottellis.com.au (Scott Ellis)
Date: Thu, 22 Mar 2007 17:09:14 +1100
Subject: Fwd: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <96e269140703212307s32f3012g48d17fa67f5739b6@mail.gmail.com>
References: <e8f2d88b0703171022i65199aa6sb14b766ec593aa9@mail.gmail.com>
 <20070318162856.GO31195@yoink.cs.uwaterloo.ca>
 <96e269140703181552r36b9a87dp15e84c0c72ecca39@mail.gmail.com>
 <a7e4e7bb0703191431y2f7b16a9m69caeb5caf61baa4@mail.gmail.com>
 <96e269140703191617h2af85e1fod68cd6c46610ab1c@mail.gmail.com>
 <e8f2d88b0703201337u26b3f300r24bd6ad5e3dcf14d@mail.gmail.com>
 <96e269140703201515y66935b78r96c3083d9656c37a@mail.gmail.com>
 <e8f2d88b0703210417i60fab21exbe3d7ed4c1927f2e@mail.gmail.com>
 <96e269140703211528y60c3c686g1bfd9b7c94f88a9f@mail.gmail.com>
 <96e269140703212307s32f3012g48d17fa67f5739b6@mail.gmail.com>
Message-ID: <96e269140703212309y7152e08cpf6bb657a7faae28f@mail.gmail.com>

------=_Part_191489_30975102.1174543754895
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi response was:

"It's still a problem of the GAIM's OTR plugin ;-P"

You will generally only notice such problems on Miranda, since Gaim supports
HTML in the message windows, whereas Miranda does not. As far as I know,
even the Jabber protocol specification does not support HTML entites in
messages - only AIM does - so Gaim should be removing these entities before
sending the messages (as it does when OTR is not used).

------=_Part_191489_30975102.1174543754895
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<span class="gmail_quote"></span>Hi response was: <span class="q"><br><br>&quot;It&#39;s still a problem of the GAIM&#39;s OTR plugin ;-P&quot;<br><br></span>You will generally only notice such problems on Miranda, since Gaim supports HTML in the message windows, whereas Miranda does not. As far as I know, even the Jabber protocol specification does not support HTML entites in messages - only AIM does - so Gaim should be removing these entities before sending the messages (as it does when OTR is not used).
<br>

------=_Part_191489_30975102.1174543754895--

From mangylj@gmail.com  Thu Mar 22 10:38:07 2007
From: mangylj@gmail.com (Mange)
Date: Thu, 22 Mar 2007 10:38:07 +0100
Subject: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <96e269140703212307s32f3012g48d17fa67f5739b6@mail.gmail.com>
References: <e8f2d88b0703171022i65199aa6sb14b766ec593aa9@mail.gmail.com>
 <20070318162856.GO31195@yoink.cs.uwaterloo.ca>
 <96e269140703181552r36b9a87dp15e84c0c72ecca39@mail.gmail.com>
 <a7e4e7bb0703191431y2f7b16a9m69caeb5caf61baa4@mail.gmail.com>
 <96e269140703191617h2af85e1fod68cd6c46610ab1c@mail.gmail.com>
 <e8f2d88b0703201337u26b3f300r24bd6ad5e3dcf14d@mail.gmail.com>
 <96e269140703201515y66935b78r96c3083d9656c37a@mail.gmail.com>
 <e8f2d88b0703210417i60fab21exbe3d7ed4c1927f2e@mail.gmail.com>
 <96e269140703211528y60c3c686g1bfd9b7c94f88a9f@mail.gmail.com>
 <96e269140703212307s32f3012g48d17fa67f5739b6@mail.gmail.com>
Message-ID: <a7e4e7bb0703220238tcb67cfbhe81d272d384d770f@mail.gmail.com>

Hugabuga? :]

I'm seriously confused now.

The guy on the Gaim buglist said:

"Yes, I believe I have seen this before, and that is why I asked about
third-party plugins.  Try unloading OTR, and see if the problem is fixed.
If it is, you can take it up with the OTR people.

Ethan"

But if I've understood things right, now the conclusion is:
The problem *is* with the Gaim -client-. Not with the Gaim OTR plugin,
not with Miranda or with the Miranda plugin?

The Gaim client should strip HTML entities from any Jabber message
before it encrypts the message with OTR, and it does not..?
But Gaim *does* strip the HTML properly when OTR is not used...?

(0_o)

On 3/22/07, Scott Ellis <mail@scottellis.com.au> wrote:
> Hi response was:
>
> "It's still a problem of the GAIM's OTR plugin ;-P"
>
> You will generally only notice such problems on Miranda, since Gaim supports HTML in the message windows, whereas Miranda does not. As far as I know, even the Jabber protocol specification does not support HTML entites in messages - only AIM does - so Gaim should be removing these entities before sending the messages (as it does when OTR is not used).
>

From mail@scottellis.com.au  Thu Mar 22 13:09:52 2007
From: mail@scottellis.com.au (Scott Ellis)
Date: Thu, 22 Mar 2007 23:09:52 +1100
Subject: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <a7e4e7bb0703220238tcb67cfbhe81d272d384d770f@mail.gmail.com>
References: <e8f2d88b0703171022i65199aa6sb14b766ec593aa9@mail.gmail.com>
 <96e269140703181552r36b9a87dp15e84c0c72ecca39@mail.gmail.com>
 <a7e4e7bb0703191431y2f7b16a9m69caeb5caf61baa4@mail.gmail.com>
 <96e269140703191617h2af85e1fod68cd6c46610ab1c@mail.gmail.com>
 <e8f2d88b0703201337u26b3f300r24bd6ad5e3dcf14d@mail.gmail.com>
 <96e269140703201515y66935b78r96c3083d9656c37a@mail.gmail.com>
 <e8f2d88b0703210417i60fab21exbe3d7ed4c1927f2e@mail.gmail.com>
 <96e269140703211528y60c3c686g1bfd9b7c94f88a9f@mail.gmail.com>
 <96e269140703212307s32f3012g48d17fa67f5739b6@mail.gmail.com>
 <a7e4e7bb0703220238tcb67cfbhe81d272d384d770f@mail.gmail.com>
Message-ID: <96e269140703220509o5da246dbx9bf992fc876e0f26@mail.gmail.com>

------=_Part_195931_8988319.1174565392993
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

yeah, you have to try to convince everyone to have a look :)

i only know that the problem is not with the miranda OTR plugin - since it
does provide an oportunity for protocol plugins to remove HTML tags, and
this is tried and tested with the implementation used by the miranda
AIMOSCAR plugin

i am tempted to trust the miranda Jabber plugin dev, as i've worked with him
a few times and trust his judgement. he is also the head developer of the
miranda project

the job of the gaim OTR plugin is pretty simple - so my guess is that the
problem is with the gaim client :)

with miranda AIM, the plugin needs to access the messages twice - the
protocol handles the network communications and so has to read the message,
and then pass it through OTR - then it needs to get the message again to
strip HTML before passing it on to the user. the reverse happens when
sending

i don't beleive the jabber plugin for miranda does that, because i think
HTML entities in messages are outside of the jabber protocol specification
(someone please correct me if i'm wrong). so the gaim client should be
stripping them before passing them to OTR when sending. i would guess that
even if they are allowed, they would need to be encoded in some way to
appear in the XML that jabber uses - which needs to be done before
encryption - and that's not happening if you're seeing them in miranda
(since miranda is not decoding them).

On 3/22/07, Mange <mangylj@gmail.com> wrote:
>
> Hugabuga? :]
>
> I'm seriously confused now.
>
> The guy on the Gaim buglist said:
>
> "Yes, I believe I have seen this before, and that is why I asked about
> third-party plugins.  Try unloading OTR, and see if the problem is fixed.
> If it is, you can take it up with the OTR people.
>
> Ethan"
>
> But if I've understood things right, now the conclusion is:
> The problem *is* with the Gaim -client-. Not with the Gaim OTR plugin,
> not with Miranda or with the Miranda plugin?
>
> The Gaim client should strip HTML entities from any Jabber message
> before it encrypts the message with OTR, and it does not..?
> But Gaim *does* strip the HTML properly when OTR is not used...?
>
> (0_o)
>
> On 3/22/07, Scott Ellis <mail@scottellis.com.au> wrote:
> > Hi response was:
> >
> > "It's still a problem of the GAIM's OTR plugin ;-P"
> >
> > You will generally only notice such problems on Miranda, since Gaim
> supports HTML in the message windows, whereas Miranda does not. As far as I
> know, even the Jabber protocol specification does not support HTML entites
> in messages - only AIM does - so Gaim should be removing these entities
> before sending the messages (as it does when OTR is not used).
> >
> _______________________________________________
> OTR-users mailing list
> OTR-users@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-users
>

------=_Part_195931_8988319.1174565392993
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

yeah, you have to try to convince everyone to have a look :)<br><br>i only know that the problem is not with the miranda OTR plugin - since it does provide an oportunity for protocol plugins to remove HTML tags, and this is tried and tested with the implementation used by the miranda AIMOSCAR plugin
<br><br>i am tempted to trust the miranda Jabber plugin dev, as i&#39;ve worked with him a few times and trust his judgement. he is also the head developer of the miranda project<br><br>the job of the gaim OTR plugin is pretty simple - so my guess is that the problem is with the gaim client :)
<br><br>with miranda AIM, the plugin needs to access the messages twice - the protocol handles the network communications and so has to read the message, and then pass it through OTR - then it needs to get the message again to strip HTML before passing it on to the user. the reverse happens when sending
<br><br>i don&#39;t beleive the jabber plugin for miranda does that, because i think HTML entities in messages are outside of the jabber protocol specification (someone please correct me if i&#39;m wrong). so the gaim client should be stripping them before passing them to OTR when sending. i would guess that even if they are allowed, they would need to be encoded in some way to appear in the XML that jabber uses - which needs to be done before encryption - and that&#39;s not happening if you&#39;re seeing them in miranda (since miranda is not decoding them). 
<br><br><div><span class="gmail_quote">On 3/22/07, <b class="gmail_sendername">Mange</b> &lt;<a href="mailto:mangylj@gmail.com">mangylj@gmail.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hugabuga? :]<br><br>I&#39;m seriously confused now.<br><br>The guy on the Gaim buglist said:<br><br>&quot;Yes, I believe I have seen this before, and that is why I asked about<br>third-party plugins.&nbsp;&nbsp;Try unloading OTR, and see if the problem is fixed.
<br>If it is, you can take it up with the OTR people.<br><br>Ethan&quot;<br><br>But if I&#39;ve understood things right, now the conclusion is:<br>The problem *is* with the Gaim -client-. Not with the Gaim OTR plugin,<br>
not with Miranda or with the Miranda plugin?<br><br>The Gaim client should strip HTML entities from any Jabber message<br>before it encrypts the message with OTR, and it does not..?<br>But Gaim *does* strip the HTML properly when OTR is not used...?
<br><br>(0_o)<br><br>On 3/22/07, Scott Ellis &lt;<a href="mailto:mail@scottellis.com.au">mail@scottellis.com.au</a>&gt; wrote:<br>&gt; Hi response was:<br>&gt;<br>&gt; &quot;It&#39;s still a problem of the GAIM&#39;s OTR plugin ;-P&quot;
<br>&gt;<br>&gt; You will generally only notice such problems on Miranda, since Gaim supports HTML in the message windows, whereas Miranda does not. As far as I know, even the Jabber protocol specification does not support HTML entites in messages - only AIM does - so Gaim should be removing these entities before sending the messages (as it does when OTR is not used).
<br>&gt;<br>_______________________________________________<br>OTR-users mailing list<br><a href="mailto:OTR-users@lists.cypherpunks.ca">OTR-users@lists.cypherpunks.ca</a><br><a href="http://lists.cypherpunks.ca/mailman/listinfo/otr-users">
http://lists.cypherpunks.ca/mailman/listinfo/otr-users</a><br></blockquote></div><br>

------=_Part_195931_8988319.1174565392993--

From ian@cypherpunks.ca  Thu Mar 22 15:25:26 2007
From: ian@cypherpunks.ca (Ian Goldberg)
Date: Thu, 22 Mar 2007 10:25:26 -0400
Subject: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <96e269140703220509o5da246dbx9bf992fc876e0f26@mail.gmail.com>
References: <96e269140703181552r36b9a87dp15e84c0c72ecca39@mail.gmail.com> <a7e4e7bb0703191431y2f7b16a9m69caeb5caf61baa4@mail.gmail.com> <96e269140703191617h2af85e1fod68cd6c46610ab1c@mail.gmail.com> <e8f2d88b0703201337u26b3f300r24bd6ad5e3dcf14d@mail.gmail.com> <96e269140703201515y66935b78r96c3083d9656c37a@mail.gmail.com> <e8f2d88b0703210417i60fab21exbe3d7ed4c1927f2e@mail.gmail.com> <96e269140703211528y60c3c686g1bfd9b7c94f88a9f@mail.gmail.com> <96e269140703212307s32f3012g48d17fa67f5739b6@mail.gmail.com> <a7e4e7bb0703220238tcb67cfbhe81d272d384d770f@mail.gmail.com> <96e269140703220509o5da246dbx9bf992fc876e0f26@mail.gmail.com>
Message-ID: <20070322142526.GE23856@thunk.cs.uwaterloo.ca>

On Thu, Mar 22, 2007 at 11:09:52PM +1100, Scott Ellis wrote:
> i don't beleive the jabber plugin for miranda does that, because i think
> HTML entities in messages are outside of the jabber protocol specification
> (someone please correct me if i'm wrong). so the gaim client should be
> stripping them before passing them to OTR when sending. i would guess that
> even if they are allowed, they would need to be encoded in some way to
> appear in the XML that jabber uses - which needs to be done before
> encryption - and that's not happening if you're seeing them in miranda
> (since miranda is not decoding them).

Here's what's happening:

- Jabber messages are composed of two parts: a "marked up" part
  (optional) with all the usual HTML bold, font, etc. tags, and a
  "plain" part (mandatory) with all that stuff stripped.

- Gaim will strip HTML tags from the message the user composes, and put
  the result in the "plain" part, and the original message in the
  "marked up" part.

- When OTR is in use, gaim passes the marked up text to OTR for
  encryption.  OTR outputs the ciphertext, which has no markup.
  *This is according to the OTR spec, which says that the plaintext of
  messages can have HTML markup in it.* So the same ciphertext gets put
  in both the "marked up" and "plain" parts of the Jabber message.

- Miranda only looks at the "plain" part, and (rightly) doesn't expect
  it to contain markup.  It passes the ciphertext to OTR for decryption,
  but then fails to take into account that OTR plaintext *is* allowed to
  contain markup.  If it really doesn't want to display the markup,
  it'll need to use the same function the Miranda AIM plugin uses to
  remove the markup from the plaintext before displaying it.

So it seems the solution is for the Miranda OTR plugin to strip HTML
tags from the decrypted plaintext for those protocols that don't want to
handle them; from what I understand, it already does that for AIM (with
the cooperation of the AIM plugin), so either convince the Jabber plugin
to do the same thing, or just have the OTR plugin automatically do it.

Hope that clears things up,

   - Ian

From mail@scottellis.com.au  Thu Mar 22 16:58:06 2007
From: mail@scottellis.com.au (Scott Ellis)
Date: Fri, 23 Mar 2007 02:58:06 +1100
Subject: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <20070322142526.GE23856@thunk.cs.uwaterloo.ca>
References: <96e269140703181552r36b9a87dp15e84c0c72ecca39@mail.gmail.com>
 <96e269140703191617h2af85e1fod68cd6c46610ab1c@mail.gmail.com>
 <e8f2d88b0703201337u26b3f300r24bd6ad5e3dcf14d@mail.gmail.com>
 <96e269140703201515y66935b78r96c3083d9656c37a@mail.gmail.com>
 <e8f2d88b0703210417i60fab21exbe3d7ed4c1927f2e@mail.gmail.com>
 <96e269140703211528y60c3c686g1bfd9b7c94f88a9f@mail.gmail.com>
 <96e269140703212307s32f3012g48d17fa67f5739b6@mail.gmail.com>
 <a7e4e7bb0703220238tcb67cfbhe81d272d384d770f@mail.gmail.com>
 <96e269140703220509o5da246dbx9bf992fc876e0f26@mail.gmail.com>
 <20070322142526.GE23856@thunk.cs.uwaterloo.ca>
Message-ID: <96e269140703220858r419854bbpc39e1e11b2e2eb33@mail.gmail.com>

------=_Part_201184_16384080.1174579086148
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Nope :)

 I posted on the dev list.

------=_Part_201184_16384080.1174579086148
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Nope :)<br><br>&nbsp;I posted on the dev list.<br>

------=_Part_201184_16384080.1174579086148--

From mangylj@gmail.com  Thu Mar 22 20:08:13 2007
From: mangylj@gmail.com (Mange)
Date: Thu, 22 Mar 2007 20:08:13 +0100
Subject: [OTR-users] OTR HTML formatting problem using Miranda/Gaim/more?
In-Reply-To: <96e269140703220858r419854bbpc39e1e11b2e2eb33@mail.gmail.com>
References: <96e269140703181552r36b9a87dp15e84c0c72ecca39@mail.gmail.com>
 <e8f2d88b0703201337u26b3f300r24bd6ad5e3dcf14d@mail.gmail.com>
 <96e269140703201515y66935b78r96c3083d9656c37a@mail.gmail.com>
 <e8f2d88b0703210417i60fab21exbe3d7ed4c1927f2e@mail.gmail.com>
 <96e269140703211528y60c3c686g1bfd9b7c94f88a9f@mail.gmail.com>
 <96e269140703212307s32f3012g48d17fa67f5739b6@mail.gmail.com>
 <a7e4e7bb0703220238tcb67cfbhe81d272d384d770f@mail.gmail.com>
 <96e269140703220509o5da246dbx9bf992fc876e0f26@mail.gmail.com>
 <20070322142526.GE23856@thunk.cs.uwaterloo.ca>
 <96e269140703220858r419854bbpc39e1e11b2e2eb33@mail.gmail.com>
Message-ID: <a7e4e7bb0703221208m6a7c7842iacd616e11fdae458@mail.gmail.com>

Well, alright.. I sort of understood 4/9 of all that, but I suppose
it's a cracking issue now. :]

Ty for all the info and help.

From kiki9@gmx.net  Wed Mar 28 20:54:36 2007
From: kiki9@gmx.net (Franz Bayer)
Date: Wed, 28 Mar 2007 21:54:36 +0200
Subject: [OTR-users] Authentication question
Message-ID: <20070328195436.121960@gmx.net>

hi,

is there a way to make sure that the one im chatting with is really the person i want to talk to? how to find out if someone other than him is sitting at his pc?

with pgp or gnupg i can be sure cause only he can enter the right private key password. is there a password or something like this in otr too?

also i have seen that the private key is stored in /home/me/.gaim just in clear text format. is this a security risk? how often is it changed (in case of trojan e.g.) ?

thanks for answers!
greets kiki9
-- 
"Feel free" - 5 GB Mailbox, 50 FreeSMS/Monat ...
Jetzt GMX ProMail testen: http://www.gmx.net/de/go/promail

From ian@cypherpunks.ca  Wed Mar 28 23:26:52 2007
From: ian@cypherpunks.ca (Ian Goldberg)
Date: Wed, 28 Mar 2007 18:26:52 -0400
Subject: [OTR-users] Authentication question
In-Reply-To: <20070328195436.121960@gmx.net>
References: <20070328195436.121960@gmx.net>
Message-ID: <20070328222652.GR5791@yoink.cs.uwaterloo.ca>

On Wed, Mar 28, 2007 at 09:54:36PM +0200, Franz Bayer wrote:
> hi,
> 
> is there a way to make sure that the one im chatting with is really
> the person i want to talk to? how to find out if someone other than
> him is sitting at his pc?
> 
> with pgp or gnupg i can be sure cause only he can enter the right
> private key password. is there a password or something like this in
> otr too?
> 
> also i have seen that the private key is stored in /home/me/.gaim just
> in clear text format. is this a security risk? how often is it changed
> (in case of trojan e.g.) ?

Right now, it's assumed that your computer is secure from things like
trojans.  If it's not, you're hosed no matter what you do.  Changing or
encrypting keys can't protect you.

Optionally encrypting the otr files is something we're thinking about,
but it has to be optional, and off by default.

Without serious client-side support like proximity sensors and RFID
tags, you're unlikely to be able to tell when the "real" user wanders
away from his machine, and someone else wanders up to it, of course. ;-)

   - Ian

From metal_gandalf@web.de  Fri Mar 30 15:19:02 2007
From: metal_gandalf@web.de (Bastian Modauer)
Date: Fri, 30 Mar 2007 16:19:02 +0200
Subject: [OTR-users] Miranda-OTR-Plugin and ICQ-OTR-Proxy?
Message-ID: <638558906@web.de>

hey @ all

i have two icq-accounts:

one is running with miranda + otr-plugin on my laptop.

the other is running on my pc with icq 5.1 + otr-proxy.

if i want to start a private connection with these both accounts,
i only get a failure-message.

if i now run the first account with icq 5.1 + otr-proxy too,
the private connections works fine.

icq + proxy <---> icq + proxy = works
miranda + plugin <---> miranda + plugin = works
icq + proxy <---> miranda + plugin = doesn't work

it seems like the otr-proxy for icq and the otr-plugin for miranda
aren't compatible?!

or am i just doing something wrong?

now i have to run miranda with the otr-proxy, 
although there is a smart plugin for it?!?!?

i mean the otr-plugin for miranda is much easier to install and run
as the otr-proxy, where i have to set the proxy and let the otr-proxy-window
open (or minimized in the taskbar).

(miranda-plugin: http://addons.miranda-im.org/details.php?action=viewfile&id=2644
otr-proxy is from the cypherpunks-homepage)

it's really annoying... 

i hope that somebody can help me or just give me the reason why it doesn't work :(
_______________________________________________________________
SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192


From marti@juffo.org  Sat Mar 31 00:28:20 2007
From: marti@juffo.org (Marti Raudsepp)
Date: Sat, 31 Mar 2007 02:28:20 +0300
Subject: [OTR-users] Miranda-OTR-Plugin and ICQ-OTR-Proxy?
In-Reply-To: <638558906@web.de>
References: <638558906@web.de>
Message-ID: <2a12af650703301628o425f3993j28a157beb35693ba@mail.gmail.com>

On 3/30/07, Bastian Modauer <metal_gandalf@web.de> wrote:
> it seems like the otr-proxy for icq and the otr-plugin for miranda
> aren't compatible?!

Should work by all means.

> if i want to start a private connection with these both accounts,
> i only get a failure-message.

Well, what's the message?


Marti

From metal_gandalf@web.de  Sat Mar 31 03:37:57 2007
From: metal_gandalf@web.de (Bastian Modauer)
Date: Sat, 31 Mar 2007 04:37:57 +0200
Subject: [OTR-users] Miranda-OTR-Plugin and ICQ-OTR-Proxy?
Message-ID: <639281218@web.de>

>> it seems like the otr-proxy for icq and the otr-plugin for miranda
>> aren't compatible?!

> Should work by all means.

>> if i want to start a private connection with these both accounts,
>> i only get a failure-message.

> Well, what's the message?

type a message in miranda's conversation-window ("test" or something else) and send it,
then it appears in icq 5.1, but the otr-proxy at the icq-pc doesn't show any private connection.
so i think this message isn't encrypted.

type a message in icq's conversation-window and send it,
then it appears in miranda, but in icq it throws a message like this:
"?OTR:AAICAAAAxElr3FDowie0iaHsxQKuNUhunCZmgrk3t7SNrTH6G49nPIoWKnzJYDL6JY7t8wjgDyVTTt5Y52zFjN2v0w7ImX6agI3ll/CX8Coj7e/iH2//QUQPIxhkVCzYGIYznmXqUCPO9GD10rMc9HINTn+IShNC7lsIJEBjdeRST08f6YAHB8dJ9PgiMr0DNcTesUDmOCHqfYpX6EB9Pm1yB6cSvYAo516vIEOL18/iNF9bvITnfMQ9Ae2CExG8r5sSPOkkOP0CjwoAAAAgZFO8xkhzzjU8G13EJjDAHqz4bAuiqGgcQP8p7LIJyJw=."

the same behaviour, when i doubleclick the miranda-contact-number in the otr-proxy-window at the icq-pc
and click "start private connection".

miranda's otr-plugin is set to "opportunistic".
icq's otr-proxy is set to "enable private messaging" and "automatically initiate..." (i think it's the same as opportunistic?!)

i have tried to disable "automatically...".
the messages aren't encrypted (so it's just a normal dialog) and when i click on "start private connection" it throws this "?OTR:..." again.
_______________________________________________________________
SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192