From alexander.buchner at gmx.de Fri May 2 08:42:44 2008 From: alexander.buchner at gmx.de (Alexander Buchner) Date: Fri, 02 May 2008 14:42:44 +0200 Subject: [OTR-users] "Automatically initiate private messaging" doesn't work Message-ID: <481B0C44.7050804@gmx.de> Hi, I'm new to the mailing list and I don't know if/how I can reply to an existing thread. My problem looks like the same problem that was posted here http://lists.cypherpunks.ca/pipermail/otr-users/2008-April/001273.html. Today I exchanged 20 or so messages with a friend before I noticed, that no private conversation was initiated. By manually starting the OTR-session, this works fine, but not automatically. In my global OTR Settings [X] Automatically initiate private messaging is activated and with this friend I use the standard options. I know that I can activate "Require private messaging" per buddy, but this is quite annoying if one has to do this for 15-20 people. I can't globally set this option, because there are people on my ContactList, who can't encrypt with OTR. Is this a known bug? What could go wrong? My system: Windows XP SP 3, Pidgin 2.4.1, OTR 3.1.0 My friend's system Windows XP SP 2, Pidgin 2.4.1, OTR 3.1.0 Alexander -- Mein ?ffentlicher PGP-Key: http://www.rzuser.uni-heidelberg.de/~abuchner/pgp.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 896 bytes Desc: OpenPGP digital signature URL: From ian at cypherpunks.ca Fri May 2 21:35:20 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 2 May 2008 21:35:20 -0400 Subject: [OTR-users] "Automatically initiate private messaging" doesn't work In-Reply-To: <481B0C44.7050804@gmx.de> References: <481B0C44.7050804@gmx.de> Message-ID: <20080503013520.GE6425@yoink.cs.uwaterloo.ca> On Fri, May 02, 2008 at 02:42:44PM +0200, Alexander Buchner wrote: > Hi, > > I'm new to the mailing list and I don't know if/how I can reply to an > existing thread. > My problem looks like the same problem that was posted here > http://lists.cypherpunks.ca/pipermail/otr-users/2008-April/001273.html. > Today I exchanged 20 or so messages with a friend before I noticed, that no > private conversation was initiated. By manually starting the OTR-session, > this works fine, but not automatically. > In my global OTR Settings [X] Automatically initiate private messaging is > activated and with this friend I use the standard options. > I know that I can activate "Require private messaging" per buddy, but this > is quite annoying if one has to do this for 15-20 people. I can't globally > set this option, because there are people on my ContactList, who can't > encrypt with OTR. > Is this a known bug? What could go wrong? > > My system: > Windows XP SP 3, Pidgin 2.4.1, OTR 3.1.0 > > My friend's system > Windows XP SP 2, Pidgin 2.4.1, OTR 3.1.0 Could you possibly capture the raw incoming and outgoing packets? What IM network are you using? Thanks, - Ian From alexander.buchner at gmx.de Sat May 3 04:37:20 2008 From: alexander.buchner at gmx.de (Alexander Buchner) Date: Sat, 03 May 2008 10:37:20 +0200 Subject: [OTR-users] "Automatically initiate private messaging" doesn't work In-Reply-To: <20080503013520.GE6425@yoink.cs.uwaterloo.ca> References: <481B0C44.7050804@gmx.de> <20080503013520.GE6425@yoink.cs.uwaterloo.ca> Message-ID: <481C2440.2090403@gmx.de> It's the jabber/xmpp network. Since I have no experience in packet capturing, I googled a bit. Can I use "Wireshark" to capture the packets in the way you would like to see them? I hope so, it looks simple. When my friend comes online, I will capture the packages. In which way should I provide the data in eMails to mailing lists? Are normal attachments ok, or pasted as text into the eMail? Alexander Ian Goldberg wrote: > On Fri, May 02, 2008 at 02:42:44PM +0200, Alexander Buchner wrote: >> Hi, >> >> I'm new to the mailing list and I don't know if/how I can reply to an >> existing thread. >> My problem looks like the same problem that was posted here >> http://lists.cypherpunks.ca/pipermail/otr-users/2008-April/001273.html. >> Today I exchanged 20 or so messages with a friend before I noticed, that no >> private conversation was initiated. By manually starting the OTR-session, >> this works fine, but not automatically. >> In my global OTR Settings [X] Automatically initiate private messaging is >> activated and with this friend I use the standard options. >> I know that I can activate "Require private messaging" per buddy, but this >> is quite annoying if one has to do this for 15-20 people. I can't globally >> set this option, because there are people on my ContactList, who can't >> encrypt with OTR. >> Is this a known bug? What could go wrong? >> >> My system: >> Windows XP SP 3, Pidgin 2.4.1, OTR 3.1.0 >> >> My friend's system >> Windows XP SP 2, Pidgin 2.4.1, OTR 3.1.0 > > Could you possibly capture the raw incoming and outgoing packets? What > IM network are you using? > > Thanks, > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users -- Mein ?ffentlicher PGP-Key: http://www.rzuser.uni-heidelberg.de/~abuchner/pgp.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 896 bytes Desc: OpenPGP digital signature URL: From alexander.buchner at gmx.de Sat May 3 05:51:56 2008 From: alexander.buchner at gmx.de (Alexander Buchner) Date: Sat, 03 May 2008 11:51:56 +0200 Subject: [OTR-users] "Automatically initiate private messaging" doesn't work In-Reply-To: <481C2440.2090403@gmx.de> References: <481B0C44.7050804@gmx.de> <20080503013520.GE6425@yoink.cs.uwaterloo.ca> <481C2440.2090403@gmx.de> Message-ID: <481C35BC.1020404@gmx.de> Now I captured the packages. The output is at http://www.rzuser.uni-heidelberg.de/~abuchner/otr.txt I hope I did that right and you can help me better now. Alexander Alexander Buchner wrote: > It's the jabber/xmpp network. Since I have no experience in packet > capturing, I googled a bit. Can I use "Wireshark" to capture the packets > in the way you would like to see them? I hope so, it looks simple. When > my friend comes online, I will capture the packages. > > In which way should I provide the data in eMails to mailing lists? Are > normal attachments ok, or pasted as text into the eMail? > > Alexander > > Ian Goldberg wrote: >> On Fri, May 02, 2008 at 02:42:44PM +0200, Alexander Buchner wrote: >>> Hi, >>> >>> I'm new to the mailing list and I don't know if/how I can reply to an >>> existing thread. >>> My problem looks like the same problem that was posted here >>> http://lists.cypherpunks.ca/pipermail/otr-users/2008-April/001273.html. >>> Today I exchanged 20 or so messages with a friend before I noticed, >>> that no private conversation was initiated. By manually starting the >>> OTR-session, this works fine, but not automatically. >>> In my global OTR Settings [X] Automatically initiate private >>> messaging is activated and with this friend I use the standard options. >>> I know that I can activate "Require private messaging" per buddy, but >>> this is quite annoying if one has to do this for 15-20 people. I >>> can't globally set this option, because there are people on my >>> ContactList, who can't encrypt with OTR. >>> Is this a known bug? What could go wrong? >>> >>> My system: >>> Windows XP SP 3, Pidgin 2.4.1, OTR 3.1.0 >>> >>> My friend's system >>> Windows XP SP 2, Pidgin 2.4.1, OTR 3.1.0 >> >> Could you possibly capture the raw incoming and outgoing packets? What >> IM network are you using? >> >> Thanks, >> >> - Ian >> _______________________________________________ >> OTR-users mailing list >> OTR-users at lists.cypherpunks.ca >> http://lists.cypherpunks.ca/mailman/listinfo/otr-users > -- Mein ?ffentlicher PGP-Key: http://www.rzuser.uni-heidelberg.de/~abuchner/pgp.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 896 bytes Desc: OpenPGP digital signature URL: From ian at cypherpunks.ca Sat May 3 17:45:30 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Sat, 3 May 2008 17:45:30 -0400 Subject: [OTR-users] "Automatically initiate private messaging" doesn't work In-Reply-To: <481C35BC.1020404@gmx.de> References: <481B0C44.7050804@gmx.de> <20080503013520.GE6425@yoink.cs.uwaterloo.ca> <481C2440.2090403@gmx.de> <481C35BC.1020404@gmx.de> Message-ID: <20080503214530.GG6425@yoink.cs.uwaterloo.ca> On Sat, May 03, 2008 at 11:51:56AM +0200, Alexander Buchner wrote: > Now I captured the packages. The output is at > http://www.rzuser.uni-heidelberg.de/~abuchner/otr.txt > > I hope I did that right and you can help me better now. Unfortuantely, Jabber connections are TLS-encrypted by default, so I can't see what's going on. :-( Try running "pidgin -d"; I believe that will output a lot of useful information, Jabber-wise. - Ian From esurnir at gmail.com Sat May 3 17:51:30 2008 From: esurnir at gmail.com (Jean-Baptiste Zeller) Date: Sat, 03 May 2008 17:51:30 -0400 Subject: [OTR-users] "Automatically initiate private messaging" doesn't work In-Reply-To: <20080503214530.GG6425@yoink.cs.uwaterloo.ca> References: <481B0C44.7050804@gmx.de> <20080503013520.GE6425@yoink.cs.uwaterloo.ca> <481C2440.2090403@gmx.de> <481C35BC.1020404@gmx.de> <20080503214530.GG6425@yoink.cs.uwaterloo.ca> Message-ID: <481CDE62.6010500@gmail.com> Ian Goldberg wrote: > On Sat, May 03, 2008 at 11:51:56AM +0200, Alexander Buchner wrote: >> Now I captured the packages. The output is at >> http://www.rzuser.uni-heidelberg.de/~abuchner/otr.txt >> >> I hope I did that right and you can help me better now. > > Unfortuantely, Jabber connections are TLS-encrypted by default, so I > can't see what's going on. :-( > > Try running "pidgin -d"; I believe that will output a lot of useful > information, Jabber-wise. > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users Even simpler, Run Pidgin with the debug window open and save the debug log. Pidgin DO make every message it send and receive appear (save password information). - Jean-Baptiste Zeller -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3307 bytes Desc: S/MIME Cryptographic Signature URL: From alexander.buchner at gmx.de Sun May 4 05:30:09 2008 From: alexander.buchner at gmx.de (Alexander Buchner) Date: Sun, 04 May 2008 11:30:09 +0200 Subject: [OTR-users] "Automatically initiate private messaging" doesn't work In-Reply-To: <481CDE62.6010500@gmail.com> References: <481B0C44.7050804@gmx.de> <20080503013520.GE6425@yoink.cs.uwaterloo.ca> <481C2440.2090403@gmx.de> <481C35BC.1020404@gmx.de> <20080503214530.GG6425@yoink.cs.uwaterloo.ca> <481CDE62.6010500@gmail.com> Message-ID: <481D8221.6060702@gmx.de> Hi again, here is the output of Pidgin's debug window while sending some messages to my friend: http://www.rzuser.uni-heidelberg.de/~abuchner/purple-debug.log. This time one can see the messages as plain text. Do these logs help you? Alexander Jean-Baptiste Zeller wrote: > Ian Goldberg wrote: >> On Sat, May 03, 2008 at 11:51:56AM +0200, Alexander Buchner wrote: >>> Now I captured the packages. The output is at >>> http://www.rzuser.uni-heidelberg.de/~abuchner/otr.txt >>> >>> I hope I did that right and you can help me better now. >> >> Unfortuantely, Jabber connections are TLS-encrypted by default, so I >> can't see what's going on. :-( >> >> Try running "pidgin -d"; I believe that will output a lot of useful >> information, Jabber-wise. >> >> - Ian >> _______________________________________________ >> OTR-users mailing list >> OTR-users at lists.cypherpunks.ca >> http://lists.cypherpunks.ca/mailman/listinfo/otr-users > Even simpler, > > Run Pidgin with the debug window open and save the debug log. Pidgin DO > make every message it send and receive appear (save password information). > > - Jean-Baptiste Zeller -- Mein ?ffentlicher PGP-Key: http://www.rzuser.uni-heidelberg.de/~abuchner/pgp.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 896 bytes Desc: OpenPGP digital signature URL: From ian at cypherpunks.ca Sun May 4 12:22:02 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Sun, 4 May 2008 12:22:02 -0400 Subject: [OTR-users] "Automatically initiate private messaging" doesn't work In-Reply-To: <481D8221.6060702@gmx.de> References: <481B0C44.7050804@gmx.de> <20080503013520.GE6425@yoink.cs.uwaterloo.ca> <481C2440.2090403@gmx.de> <481C35BC.1020404@gmx.de> <20080503214530.GG6425@yoink.cs.uwaterloo.ca> <481CDE62.6010500@gmail.com> <481D8221.6060702@gmx.de> Message-ID: <20080504162202.GL6425@yoink.cs.uwaterloo.ca> On Sun, May 04, 2008 at 11:30:09AM +0200, Alexander Buchner wrote: > Hi again, > > here is the output of Pidgin's debug window while sending some messages to > my friend: http://www.rzuser.uni-heidelberg.de/~abuchner/purple-debug.log. > This time one can see the messages as plain text. > Do these logs help you? Perfect. It shows that your end is properly sending the whitespace tag that should trigger the other end into starting OTR. (See the "Test" message.) Can you do the same thing again, but capture both sides at once? Your buddy checked the per-buddy configuration on his/her side as well? Thanks, - Ian From esurnir at gmail.com Sun May 4 12:35:16 2008 From: esurnir at gmail.com (Jean-Baptiste Zeller) Date: Sun, 04 May 2008 12:35:16 -0400 Subject: [OTR-users] "Automatically initiate private messaging" doesn't work In-Reply-To: <20080504162202.GL6425@yoink.cs.uwaterloo.ca> References: <481B0C44.7050804@gmx.de> <20080503013520.GE6425@yoink.cs.uwaterloo.ca> <481C2440.2090403@gmx.de> <481C35BC.1020404@gmx.de> <20080503214530.GG6425@yoink.cs.uwaterloo.ca> <481CDE62.6010500@gmail.com> <481D8221.6060702@gmx.de> <20080504162202.GL6425@yoink.cs.uwaterloo.ca> Message-ID: <481DE5C4.4060302@gmail.com> Ian Goldberg wrote: > On Sun, May 04, 2008 at 11:30:09AM +0200, Alexander Buchner wrote: >> Hi again, >> >> here is the output of Pidgin's debug window while sending some messages to >> my friend: http://www.rzuser.uni-heidelberg.de/~abuchner/purple-debug.log. >> This time one can see the messages as plain text. >> Do these logs help you? > > Perfect. It shows that your end is properly sending the whitespace tag > that should trigger the other end into starting OTR. (See the "Test" > message.) > > Can you do the same thing again, but capture both sides at once? Your > buddy checked the per-buddy configuration on his/her side as well? > > Thanks, > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users Perhaps it would be good in the future to have off the record be a bit more talkative in terms of the pidgin debug log in the future. Like showing when does it initialise, because sometime, it seems to take a bit of time before the plugin finaly catch up that it must start working. From alexander.buchner at gmx.de Sun May 4 18:13:54 2008 From: alexander.buchner at gmx.de (Alexander Buchner) Date: Mon, 05 May 2008 00:13:54 +0200 Subject: [OTR-users] "Automatically initiate private messaging" doesn't work In-Reply-To: <20080504162202.GL6425@yoink.cs.uwaterloo.ca> References: <481B0C44.7050804@gmx.de> <20080503013520.GE6425@yoink.cs.uwaterloo.ca> <481C2440.2090403@gmx.de> <481C35BC.1020404@gmx.de> <20080503214530.GG6425@yoink.cs.uwaterloo.ca> <481CDE62.6010500@gmail.com> <481D8221.6060702@gmx.de> <20080504162202.GL6425@yoink.cs.uwaterloo.ca> Message-ID: <481E3522.90506@gmx.de> Sorry, it's kind of weird. The situation is like this: I know my friend's ICQ and Jabber Account. Both are in my contact list and I "melted" them per "Expand"-Command. He did the same with my two Accounts, but we both had a different order. For me his "main account" (the upper one) was his Jabber, and vice versa. And here is the problem. When you rightclick on a "bundled" Contact, I think you know what I mean, and select "OTR-Settings" only the main account will be affected. So he didn't look up his OTR-settings for my jabber but for my ICQ account. Can you follow me? In our last test he noticed, that my Jabber account had different OTR-Settings, "Automatically initiate..." was deactivated. After he activated this option, everything worked fine. So we went back and put the options as they were to produce the log for you but we couldn't reproduce the scenario. The OTR encryption always kicked in immediately. Actually I think his client should have responded to my OTR-Request, independently from his option "Automatically initiate...". It didn't but we can't reproduce for now. I'm sorry. But you should think about the rightclick->OTR-Settings problem. The settings one edits should be applied for ALL Accounts under this "meta-account", not only the most upper one. Am I right? Alexander Ian Goldberg wrote: > On Sun, May 04, 2008 at 11:30:09AM +0200, Alexander Buchner wrote: >> Hi again, >> >> here is the output of Pidgin's debug window while sending some messages to >> my friend: http://www.rzuser.uni-heidelberg.de/~abuchner/purple-debug.log. >> This time one can see the messages as plain text. >> Do these logs help you? > > Perfect. It shows that your end is properly sending the whitespace tag > that should trigger the other end into starting OTR. (See the "Test" > message.) > > Can you do the same thing again, but capture both sides at once? Your > buddy checked the per-buddy configuration on his/her side as well? > > Thanks, > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users -- Mein ?ffentlicher PGP-Key: http://www.rzuser.uni-heidelberg.de/~abuchner/pgp.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 896 bytes Desc: OpenPGP digital signature URL: From js-otrim at webkeks.org Sat May 10 07:59:49 2008 From: js-otrim at webkeks.org (Jonathan Schleifer) Date: Sat, 10 May 2008 13:59:49 +0200 Subject: [OTR-users] Stronger crypto? Message-ID: <20080510135949.67ab1f75@webkeks.org> Hi! I looked at the specification of the OTR protocol and have a few suggestions. First: Why not move from AES128-CTR to AES256-CBC? It only needs a few cycles more, but provides stronger crypto. Shouldn't be a problem, even on slower machines. Second: Why not increase the public/private key to 4096 bit? DSA2 can handle that. And since that key isn't generated every 5 minutes, performance on slow machines shouldn't be an issue here either. I haven't read the whole specification, only had a quick look at it, so feel free to correct me if I've missed something. I'd welcome it if there'd be a new OTR version providing stronger cryto. -- Jonathan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From michael_reichenbach at freenet.de Sat May 10 09:27:45 2008 From: michael_reichenbach at freenet.de (Michael Reichenbach) Date: Sat, 10 May 2008 15:27:45 +0200 Subject: [OTR-users] Stronger crypto? In-Reply-To: <20080510135949.67ab1f75@webkeks.org> References: <20080510135949.67ab1f75@webkeks.org> Message-ID: <4825A2D1.7060106@freenet.de> Jonathan Schleifer wrote: > Hi! > > I looked at the specification of the OTR protocol and have a few > suggestions. > > First: Why not move from AES128-CTR to AES256-CBC? It only needs a few > cycles more, but provides stronger crypto. Shouldn't be a problem, even > on slower machines. > > Second: Why not increase the public/private key to 4096 bit? DSA2 can > handle that. And since that key isn't generated every 5 minutes, > performance on slow machines shouldn't be an issue here either. > > I haven't read the whole specification, only had a quick look at it, so > feel free to correct me if I've missed something. > > I'd welcome it if there'd be a new OTR version providing stronger cryto. > I can second this and would like to see strongest cryptography. Instant of AES128 or AES256 a cascade with AES256-Twofish-Serpent could be used. From gmaxwell at gmail.com Sat May 10 12:38:30 2008 From: gmaxwell at gmail.com (Gregory Maxwell) Date: Sat, 10 May 2008 12:38:30 -0400 Subject: [OTR-users] Stronger crypto? In-Reply-To: <4825A2D1.7060106@freenet.de> References: <20080510135949.67ab1f75@webkeks.org> <4825A2D1.7060106@freenet.de> Message-ID: On Sat, May 10, 2008 at 9:27 AM, Michael Reichenbach wrote: >> First: Why not move from AES128-CTR to AES256-CBC? It only needs a few >> cycles more, but provides stronger crypto. Shouldn't be a problem, even >> on slower machines. [snip] > I can second this and would like to see strongest cryptography. Instant of > AES128 or AES256 a cascade with AES256-Twofish-Serpent could be used. The need to have a counter-mode cypher stems from the desire to preserve blind modification, one of OTR's features. OTR intentionally releases the authentication keys after a message is received, with these keys in hand you can blindly modify message ... For example if you think it's very likely that someone wrote "I'd like to meet John" you can flip the bits to make it say "I'd like to kill John", even without the encryption keys. This property requires a counter mode cipher. Because the system, properly, has an IV which is unique per key a counter mode cipher should be equally secure unless AES is broken. ... but if AES is broken we have bigger problems than the difference between CTR and CBC mode. > Second: Why not increase the public/private key to 4096 bit? DSA2 can > handle that. And since that key isn't generated every 5 minutes, > performance on slow machines shouldn't be an issue here either. First off... as seem to be aware, It's only used for initial authentication. ... cracking your private key would only allow someone to impersonate you in the future, and not read your past messages. It's not a very interesting attack for an attacker and if it were the attacker would probably be better of breaking into your home or office for this one. Secondly, longer RSA keys *are* slower and more memory hungry. Not every device someone would want to run OTR on is a PC... think PDAs and other wireless devices. There are probably better ways to to use CPU to improve security. I could propose some things which would increase security ... but the biggest improvements for security will come from increasing the number of people that use OTR and number of ways they can use OTR... Supporting more platforms, supporting multi-user chat. Getting rid of the AIM multiple computers signed on at once OTR-fights.. etc.. From ian at cypherpunks.ca Sat May 10 12:51:13 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Sat, 10 May 2008 12:51:13 -0400 Subject: [OTR-users] Stronger crypto? In-Reply-To: <20080510135949.67ab1f75@webkeks.org> References: <20080510135949.67ab1f75@webkeks.org> Message-ID: <20080510165113.GT30190@yoink.cs.uwaterloo.ca> On Sat, May 10, 2008 at 01:59:49PM +0200, Jonathan Schleifer wrote: > Hi! > > I looked at the specification of the OTR protocol and have a few > suggestions. > > First: Why not move from AES128-CTR to AES256-CBC? It only needs a few > cycles more, but provides stronger crypto. Shouldn't be a problem, even > on slower machines. > > Second: Why not increase the public/private key to 4096 bit? DSA2 can > handle that. And since that key isn't generated every 5 minutes, > performance on slow machines shouldn't be an issue here either. > > I haven't read the whole specification, only had a quick look at it, so > feel free to correct me if I've missed something. > > I'd welcome it if there'd be a new OTR version providing stronger cryto. Can you elucidate what your threat model is that you think 128-bit AES isn't enough? The existence of AES-256 is largely to hedge against a future advent of a working quantum computer (which could break AES-128 in 2^64 work, but need 2^128 work to break AES-256). But a quantum computer would plow right through the DH key exchange used to generate the 256-bit key, and you'd be sunk anyway. Speaking of the DH, if we were to switch to 256-bit symmetric keys, we'd have to switch the DH to something in the 10,000-bit range for equivalent security. (Otherwise, it would be way easier to break the DH to determine the symmetric key than it would be to break the AES directly, and you gain nothing.) This would be way too slow, since it's performed almost every time a message is sent. We'd probably need something elliptic-curve based, which opens up other cans of worms. There's a similar issue with the authentication keys: it doesn't help to greatly raise the security level of the signature scheme, if the thing you're signing (a MAC in this case) is of weaker security. All parts of the system need to fit together. In addition, authentication keys can be changed easily, and with no loss of past message secrecy, if it does turn out for some reason that people begin to be able to forge signatures with existing DSA keys. The OTR protocol already includes a key type feature, anticipating this possible future need. But in my opinion, the need isn't there at this time. Thanks, - Ian From gmaxwell at gmail.com Sat May 10 13:09:17 2008 From: gmaxwell at gmail.com (Gregory Maxwell) Date: Sat, 10 May 2008 13:09:17 -0400 Subject: [OTR-users] Stronger crypto? In-Reply-To: <20080510165113.GT30190@yoink.cs.uwaterloo.ca> References: <20080510135949.67ab1f75@webkeks.org> <20080510165113.GT30190@yoink.cs.uwaterloo.ca> Message-ID: On Sat, May 10, 2008 at 12:51 PM, Ian Goldberg wrote: [snip] > Speaking of the DH, if we were to switch to 256-bit symmetric keys, we'd > have to switch the DH to something in the 10,000-bit range for > equivalent security. (Otherwise, it would be way easier to break the DH > to determine the symmetric key than it would be to break the AES > directly, and you gain nothing.) This would be way too slow, since it's > performed almost every time a message is sent. We'd probably need > something elliptic-curve based, which opens up other cans of worms. [snip] Hey, I did propose something OTR could do to improve key establishment security without expanding the DH size: Cache an established shared secret and mix it with the DH negoitated key. I.e. take the password provided on each side for authentication, strengthen it with a zillion rounds of a hash, store it, then use it to encrypt the DH provided keys. This means that if DH is found to be weaker than expected OTR between authenticated users reduces to symmetric crypto without PFS rather than being totally broken. In any case... it still would be an insignificant improvement in security compared to what would be provided just about any usability improvement. From js-otrim at webkeks.org Sun May 11 11:25:42 2008 From: js-otrim at webkeks.org (Jonathan Schleifer) Date: Sun, 11 May 2008 17:25:42 +0200 Subject: [OTR-users] Pidgin plugin sends and parses HTML Message-ID: <20080511172542.181da3f6@webkeks.org> I just talked for the first time with a pidgin user using Gajim's new OTR implementation and I noticed that it seems that Pidgin encrypts the HTML, not the Text. Is this intended? Miranda seems to does it like Gajim, while Trillian also sends HTML. So it's 2 vs. 2. What would be the correct approach? Should I change it in Gajim so it tries to strip all HTML tags and decode the entities + encode outgoing messages? I also noticed that libotr returns HTML error messages, which we think is bad, they are not translatable and we have to strip HTML from them. -- Jonathan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From l-otr.0705+23jv-l at ruediger-kuhlmann.de Sun May 11 11:48:15 2008 From: l-otr.0705+23jv-l at ruediger-kuhlmann.de (=?iso-8859-1?Q?R=FCdiger?= Kuhlmann) Date: Sun, 11 May 2008 17:48:15 +0200 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <20080511172542.181da3f6@webkeks.org> References: <20080511172542.181da3f6@webkeks.org> Message-ID: <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> Hi Jonathan! >--[Jonathan Schleifer]-- > I just talked for the first time with a pidgin user using Gajim's new > OTR implementation and I noticed that it seems that Pidgin encrypts the > HTML, not the Text. Is this intended? Miranda seems to does it like > Gajim, while Trillian also sends HTML. So it's 2 vs. 2. Add "climm" to the list of clients who do _NOT_ send HTML. According to the OTR spec, the library is supposed to do nothing more than replace the plain text with the encrypted text. As such, the place for text/plain is supposed to contain encryped text/plain, while the place for text/html is supposed to contain encrypted text/html. So much, so obvious, unfortunately the OTR authors are quite resistant to reality and are not reachable by any kind of logic. Any time this comes up on this list, the poster is pointed to the list archive (where nobody can find any argument supporting the OTR author's position). So the situation quite similar to the mplayer guys and their home-grown autoconf look-alike. Well, I'm interested how to explain away the stupidity of Trillian to interpret text as HTML (and thus discard newlines) when climm doesn't even send HTML at all... > Should I change it in Gajim so it > tries to strip all HTML tags and decode the entities + encode outgoing > messages? Please don't. Btw, climm will simply reject messages where the encrypted text/plain and text/html part agree, but < are somewhere in the decrypted text. > I also noticed that libotr returns HTML error messages, which > we think is bad, they are not translatable and we have to strip HTML > from them. Well, I'd say "bad" is a nice euphemism for "very poor interface design". libOTR was split from GAIM, pardon, Pitch-in code, and it shows. It isn't usable in any other environment without problems. If any usage of this library isn't as it is used by Pitch-in, then it will require stupid work-arounds and additional coding. Another example would, by the way, be the outgoing fragmentation "support". Sorry for the not-quite so friendly email, but the situation just doesn't seem to improve. Yours, R?diger. -- "See, free nations are peaceful nations. Free nations don't attack each other. Free nations don't develop weapons of mass destruction." - George W. Bush, Milwaukee, Wis., Oct. 3, 2003 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From js-otrim at webkeks.org Sun May 11 12:04:06 2008 From: js-otrim at webkeks.org (Jonathan Schleifer) Date: Sun, 11 May 2008 18:04:06 +0200 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> Message-ID: <20080511180406.538e0610@webkeks.org> R?diger Kuhlmann wrote: > As such, the place > for text/plain is supposed to contain encryped text/plain, while > the place for text/html is supposed to contain encrypted text/html. That's exactly what I thought would be the right way to do it, thanks. The problem is that Pidgin puts the HTML inside the XMPP *body*, which is wrong, wrong and once again very wrong! It should put plaintext there! It *may* use XHTML in the namespace reserved for it, but even if it does so, it MUST also send a plain text variant, otherwise it violates the RFC and the XHTML XEP! Please fix that! -- Jonathan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From l-otr.0705+23jv-l at ruediger-kuhlmann.de Sun May 11 12:30:37 2008 From: l-otr.0705+23jv-l at ruediger-kuhlmann.de (=?iso-8859-1?Q?R=FCdiger?= Kuhlmann) Date: Sun, 11 May 2008 18:30:37 +0200 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <20080511180406.538e0610@webkeks.org> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> Message-ID: <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> >--[Jonathan Schleifer]-- > R?diger Kuhlmann wrote: > > As such, the place > > for text/plain is supposed to contain encryped text/plain, while > > the place for text/html is supposed to contain encrypted text/html. > That's exactly what I thought would be the right way to do it, thanks. > The problem is that Pidgin puts the HTML inside the XMPP *body*, which > is wrong, wrong and once again very wrong! It should put plaintext > there! It *may* use XHTML in the namespace reserved for it, but even if > it does so, it MUST also send a plain text variant, otherwise it > violates the RFC and the XHTML XEP! The excuse that will pop up on the list will be: | But the encrypted text _is_ plain text and not HTML | and thus doesn't violate the XMPP RfC!!!111oneeleven!!! ... which is technically true, but totally misses the point why this is wrong. The only thing ever said about integration says (from the README distributed with the libOTR source code): | If newmessage gets set by the call to something non-NULL, then you | should replace your message with the contents of newmessage, and | send that instead. So it says the only change to the data sent out is that the actual message is replaced by the encrypted one. In particular, it doesn't say to put the encrypted HTML in place of the text/plain part of the message, nor does it say anything about having to support HTML somewhere. I'm still waiting for someone to even try to bring any argument refusing my conclusion. Yours, R?diger. -- "See, free nations are peaceful nations. Free nations don't attack each other. Free nations don't develop weapons of mass destruction." - George W. Bush, Milwaukee, Wis., Oct. 3, 2003 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From mail at scottellis.com.au Sun May 11 23:20:05 2008 From: mail at scottellis.com.au (Scott Ellis) Date: Mon, 12 May 2008 13:20:05 +1000 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> Message-ID: <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> Actually there is a separate plugin available for Miranda (same author as the OTR plugin - i.e. me) that will strip HTML from incoming messages - this is to allow for OTR interoperability with those clients that do work differently. I had a similar discussion with the OTR authors about this as well, when I first implemented my plugin. I was never given useless links - they explained their position quite clearly. However I didn't and still don't agree. To them, OTR is a protocol in it's own right, existing on top of other IM protocols but having it's own rules. In the OTR spec it does say that messages belonging to the OTR protocol may contain HTML. I would much rather OTR be considered an extension to existing protocols, and have the unencrypted messages follow the rules of the underlying protocol. One motivation for this interpretation, I think, is that it may be more difficult to achieve this in the pidgin architecture (i.e. the message to be sent comes with HTML from the message window, goes via otr and then to the protocol for sending - usually the proto will decide if it can send the HTML but if OTR has encrypted the message that's not possible). With Miranda that problem is easily solved, but other things are harder (i.e. sending an 'i'm going offline now' message). I don't think there's anything confusing to it - just a difference in philosophy. My concern is that the decision to call OTR a 'protocol' is motivated by convenience. Scott On Mon, May 12, 2008 at 2:30 AM, R?diger Kuhlmann < l-otr.0705+23jv-l at ruediger-kuhlmann.de> wrote: > > >--[Jonathan Schleifer]-- > > R?diger Kuhlmann > > wrote: > > > As such, the place > > > for text/plain is supposed to contain encryped text/plain, while > > > the place for text/html is supposed to contain encrypted text/html. > > That's exactly what I thought would be the right way to do it, thanks. > > The problem is that Pidgin puts the HTML inside the XMPP *body*, which > > is wrong, wrong and once again very wrong! It should put plaintext > > there! It *may* use XHTML in the namespace reserved for it, but even if > > it does so, it MUST also send a plain text variant, otherwise it > > violates the RFC and the XHTML XEP! > > The excuse that will pop up on the list will be: > > | But the encrypted text _is_ plain text and not HTML > | and thus doesn't violate the XMPP RfC!!!111oneeleven!!! > > ... which is technically true, but totally misses the point why > this is wrong. The only thing ever said about integration says > (from the README distributed with the libOTR source code): > > | If newmessage gets set by the call to something non-NULL, then you > | should replace your message with the contents of newmessage, and > | send that instead. > > So it says the only change to the data sent out is that the actual > message is replaced by the encrypted one. In particular, it doesn't > say to put the encrypted HTML in place of the text/plain part of > the message, nor does it say anything about having to support HTML > somewhere. I'm still waiting for someone to even try to bring any > argument refusing my conclusion. > > Yours, R?diger. > > -- > "See, free nations are peaceful nations. Free nations don't attack > each other. Free nations don't develop weapons of mass destruction." > - George W. Bush, Milwaukee, Wis., Oct. 3, 2003 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFIJx8tHFs/RFyJr1ERAhmRAKCwwvcvdfugwWtkg5I4wdT70slFTACeLjoE > 21qA5lcAfn3svKS3p+rf41w= > =MdDE > -----END PGP SIGNATURE----- > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From l-otr.0705+23jv-l at ruediger-kuhlmann.de Mon May 12 08:17:37 2008 From: l-otr.0705+23jv-l at ruediger-kuhlmann.de (=?iso-8859-1?Q?R=FCdiger?= Kuhlmann) Date: Mon, 12 May 2008 14:17:37 +0200 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> Message-ID: <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> >--[Scott Ellis]-- > I was never given useless links - they > explained their position quite clearly. However I didn't and still don't > agree. To them, OTR is a protocol in it's own right, existing on top of > other IM protocols but having it's own rules. In the OTR spec it does say > that messages belonging to the OTR protocol may contain HTML. Uhm. I can only find one place where it mentiones HTML at all. And while it mentions that it may contain markup, it still doesn't qualify as allowing to put HTML into a place where only text/plain is allowed. Of course the text to encrypt may contain HTML, if an HTML message is about to be sent. Just as it may contain rtf, M$ .doc or any other markup if that is what is to be sent. But the data type of the data to be encrypted can only be determined by the underlying protocol, otherwise an extensive chapter on integration would HAVE to be part of the spec. It isn't. It claims that using libOTR is as simple as replacing the plain text with the output of the function. And it does not provide any functionality to encode or decode plain text to HTML. > I don't think there's anything confusing to it - just a difference in > philosophy. My concern is that the decision to call OTR a 'protocol' is > motivated by convenience. Which is why I'd consider libOTR to be essentially a misnamed libGaimOTR. I think I remember a statement from libOTR developers that any change to libOTR could only be made at the same time as a change to Gaim-libOTR-plugin. Which highlights this concern well enough for everyone to notice. The question is how to proceed without hampering the broken interoperability of the OTR-wonnabe-protocol further. Maybe the best idea would be to increase the version number and in the new version make the protocol provide means to specify the type of data (plain/text, a well-defined subset of HTML, whatever) and means to determine the receiver's preferences. Anyone who doesn't agree? -- "See, free nations are peaceful nations. Free nations don't attack each other. Free nations don't develop weapons of mass destruction." - George W. Bush, Milwaukee, Wis., Oct. 3, 2003 From js-otrim at webkeks.org Mon May 12 08:31:49 2008 From: js-otrim at webkeks.org (Jonathan Schleifer) Date: Mon, 12 May 2008 14:31:49 +0200 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> Message-ID: <20080512143149.46c0484e@webkeks.org> R?diger Kuhlmann wrote: > The question is how to proceed without hampering the broken > interoperability of the OTR-wonnabe-protocol further. Maybe the best > idea would be to increase the version number and in the new version > make the protocol provide means to specify the type of data > (plain/text, a well-defined subset of HTML, whatever) and means to > determine the receiver's preferences. Anyone who doesn't agree? Yes, me. XMPP offers XHTML IM. You can just put the HTML code there and put plain-text in the message body. This way, Pidgin can use it damned HTML (seems it can't even work without it!) and those who don't understand XHTML IM get the plain message, like wanted. For ICQ, HTML should just NEVER be used as it doesn't support it, even in ICQ6. OTR shouldn't change anything about the data it encrypts. It should just encrypt it, nothing more. That way, you can encrypt HTML messages and put them in the *RIGHT* place, which is *NOT* the XMPP message body and you can encrypt plain text and put it in the XMPP message body. -- Jonathan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From l-otr.0705+23jv-l at ruediger-kuhlmann.de Mon May 12 09:35:38 2008 From: l-otr.0705+23jv-l at ruediger-kuhlmann.de (=?iso-8859-1?Q?R=FCdiger?= Kuhlmann) Date: Mon, 12 May 2008 15:35:38 +0200 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <20080512143149.46c0484e@webkeks.org> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> <20080512143149.46c0484e@webkeks.org> Message-ID: <20080512133538.GC5688@msgids.ruediger-kuhlmann.de> >--[Jonathan Schleifer]-- > R?diger Kuhlmann wrote: > > The question is how to proceed without hampering the broken > > interoperability of the OTR-wonnabe-protocol further. Maybe the best > > idea would be to increase the version number and in the new version > > make the protocol provide means to specify the type of data > > (plain/text, a well-defined subset of HTML, whatever) and means to > > determine the receiver's preferences. Anyone who doesn't agree? > Yes, me. > XMPP offers XHTML IM. You can just put the HTML code there and put > plain-text in the message body. This way, Pidgin can use it damned HTML > (seems it can't even work without it!) and those who don't understand > XHTML IM get the plain message, like wanted. > For ICQ, HTML should just NEVER be used as it doesn't support it, even > in ICQ6. Well, it was a try at getting the Pitchin people also on board. I certainly agree that this is the best way (which is what I do - putting plain text (encrypted) in the body, and no html tag, and rejecting all messages with html = plaintext and < in it). The question is how to get the Pitchin and Trillian people do the same. And that depends on how many pull how strong into correct direction. Like: Who would spend time replacing libOTR by a non-Gaim-specific library with a well thought-out interface? Who would join in in rejecting garbage messages from Pitchin? Who would massage the Pitchin guys with arguments until they try to make libOTR be what they claim it already is, a generic encryption library? > OTR shouldn't change anything about the data it encrypts. It should > just encrypt it, nothing more. That way, you can encrypt HTML messages > and put them in the *RIGHT* place, which is *NOT* the XMPP message body > and you can encrypt plain text and put it in the XMPP message body. -- "See, free nations are peaceful nations. Free nations don't attack each other. Free nations don't develop weapons of mass destruction." - George W. Bush, Milwaukee, Wis., Oct. 3, 2003 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From mail at scottellis.com.au Mon May 12 11:01:55 2008 From: mail at scottellis.com.au (Scott Ellis) Date: Tue, 13 May 2008 01:01:55 +1000 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> Message-ID: <96e269140805120801s5aa23cc9p37c200bedb59ba95@mail.gmail.com> > > Uhm. I can only find one place where it mentiones HTML at all. And while > it > mentions that it may contain markup, it still doesn't qualify as allowing > to > put HTML into a place where only text/plain is allowed. Of course the text > to encrypt may contain HTML, if an HTML message is about to be sent. Just > as > it may contain rtf, M$ .doc or any other markup if that is what is to be > sent. But the data type of the data to be encrypted can only be determined > by the underlying protocol, otherwise an extensive chapter on integration > would HAVE to be part of the spec. It isn't. The actual text transferred over the underlying protocol is made up of plaintext chars - and as such none of the rules of the underlying protocol are being broken. Even jabber XEPs cannot lay claim to the *meaning* of plaintext within messages - just as you and a friend are not prevented from using some code language you make up yourselves over jabber. Under this interpretation the unencrpyted messages of OTR conversations have nothing to do with the transport protocol. The phrase that was used by the developers in my earlier conversations on this topic was 'higher level protocol'. It's ugly and inconvenient to most of us, but it does make sense from a certain point of view. It claims that using libOTR is > as simple as replacing the plain text with the output of the function. You're very right there - in most cases it doesn't perform 'as advertised'. But it does work that way for a lot of clients - almost anything Qt or Java based, for example. Can I suggest this discussion continue on the dev mailing list though? Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at cypherpunks.ca Mon May 12 14:09:48 2008 From: paul at cypherpunks.ca (Paul Wouters) Date: Mon, 12 May 2008 14:09:48 -0400 (EDT) Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <20080512133538.GC5688@msgids.ruediger-kuhlmann.de> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> <20080512143149.46c0484e@webkeks.org> <20080512133538.GC5688@msgids.ruediger-kuhlmann.de> Message-ID: On Mon, 12 May 2008, R?diger Kuhlmann wrote: > agree that this is the best way (which is what I do - putting plain text > (encrypted) in the body, and no html tag, and rejecting all messages with > html = plaintext and < in it). "Be liberal in what to expect, be strict in what to send". Don't start rejecting messages based on html. what if I send a plaintext message with "you need to use the tag for that"...... Paul From l-otr.0705+23jv-l at ruediger-kuhlmann.de Mon May 12 14:20:13 2008 From: l-otr.0705+23jv-l at ruediger-kuhlmann.de (=?iso-8859-1?Q?R=FCdiger?= Kuhlmann) Date: Mon, 12 May 2008 20:20:13 +0200 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> <20080512143149.46c0484e@webkeks.org> <20080512133538.GC5688@msgids.ruediger-kuhlmann.de> Message-ID: <20080512182013.GE5688@msgids.ruediger-kuhlmann.de> Hi Paul, >--[Paul Wouters]-- > On Mon, 12 May 2008, R?diger Kuhlmann wrote: > > agree that this is the best way (which is what I do - putting plain text > > (encrypted) in the body, and no html tag, and rejecting all messages with > > html = plaintext and < in it). > "Be liberal in what to expect, be strict in what to send". > Don't start rejecting messages based on html. what if I send a plaintext > message with "you need to use the tag for that"...... I do reject messages that claim that text/plain == text/html when they obviously can't as they're clearly broken and cannot be assigned a well-defined meaning. And while I'd like to be more literal in what I accept, it wouldn't do anything to solve the problem of Pitchin's (and Trillian's) broken OTR implementation - if I can't reach anyone with arguments (nobody has yet said anything insightful about it from the libOTR or Pitchin people), I just have to make sure it pops up as their problem, or they'll just ignore it. So let me ask you: will you clarify the OTR spec to make sure it won't pack encrypted HTML into a plain text field and fix the Pitchin OTR plugin accordingly, OR will you continue to ignore (or argue away) the problem? PS. Please respect the Mail-Followup-To:. I happen to read the mailing lists that I write to, thank you. -- "See, free nations are peaceful nations. Free nations don't attack each other. Free nations don't develop weapons of mass destruction." - George W. Bush, Milwaukee, Wis., Oct. 3, 2003 From bdm at fenrir.org.uk Mon May 12 14:50:43 2008 From: bdm at fenrir.org.uk (Brian Morrison) Date: Mon, 12 May 2008 19:50:43 +0100 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <20080512133538.GC5688@msgids.ruediger-kuhlmann.de> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> <20080512143149.46c0484e@webkeks.org> <20080512133538.GC5688@msgids.ruediger-kuhlmann.de> Message-ID: <20080512195043.3c9d4958@peterson.fenrir.org.uk> On Mon, 12 May 2008 15:35:38 +0200 R?diger Kuhlmann wrote: > Well, it was a try at getting the Pitchin people also on board. I'm astonished that you're lecturing the developers about the treatment of (spit!) HTML when you can't even be bothered to write Pidgin correctly. Frankly, I care not a single whit what happens with HTML, and I don't see why anyone should put any effort into its handling until everything else works properly. -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html From mail at scottellis.com.au Mon May 12 19:42:42 2008 From: mail at scottellis.com.au (Scott Ellis) Date: Tue, 13 May 2008 09:42:42 +1000 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <20080512182013.GE5688@msgids.ruediger-kuhlmann.de> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> <20080512143149.46c0484e@webkeks.org> <20080512133538.GC5688@msgids.ruediger-kuhlmann.de> <20080512182013.GE5688@msgids.ruediger-kuhlmann.de> Message-ID: <96e269140805121642n68805906qf06d1a274e780eef@mail.gmail.com> > PS. Please respect the Mail-Followup-To:. I happen to read the > mailing lists that I write to, thank you. > Sorry - sender's addy and list addy both show in the 'reply-to' field in emails from this list, and gmail respects that. Not sure if it's a list config problem - it is annoying. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mail at scottellis.com.au Mon May 12 19:57:36 2008 From: mail at scottellis.com.au (Scott Ellis) Date: Tue, 13 May 2008 09:57:36 +1000 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <20080512195043.3c9d4958@peterson.fenrir.org.uk> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> <20080512143149.46c0484e@webkeks.org> <20080512133538.GC5688@msgids.ruediger-kuhlmann.de> <20080512195043.3c9d4958@peterson.fenrir.org.uk> Message-ID: <96e269140805121657k5de257br794e450ff5ef55fe@mail.gmail.com> > I'm astonished that you're lecturing the developers about the treatment > of (spit!) HTML when you can't even be bothered to write Pidgin > correctly. > It's called a 'pun'. > > Frankly, I care not a single whit what happens with HTML, and I don't > see why anyone should put any effort into its handling until everything > else works properly. Complaints about HTML handling are easily the most common problem reported by users of my OTR plugin - even though it does follow everyone's interpretation of the spec depending on the other plugins in use. If you're using a messenger that handles HTML natively then you may well not care - it won't affect you. But there are a lot of people out there whom it does affect, and in many ways this is the single biggest problem with using and supporting the OTR library. What is this 'everything else' that you're referring to? The other serious problem in my mind is the need for a 'i'm going offline now' message, another feature of the OTR protocol - as I mentioned earlier this just isn't possible with Miranda's plugin API, and there are a bunch of other reasons why it's a very bad idea...but that's another story -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at cypherpunks.ca Tue May 13 08:10:05 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 13 May 2008 08:10:05 -0400 Subject: [otr-users] Pidgin plugin sends and parses HTML In-Reply-To: <96e269140805120801s5aa23cc9p37c200bedb59ba95@mail.gmail.com> References: <20080511172542.181da3f6@webkeks.org> <20080511154815.GA5693@msgids.ruediger-kuhlmann.de> <20080511180406.538e0610@webkeks.org> <20080511163037.GB5693@msgids.ruediger-kuhlmann.de> <96e269140805112020k6ea60e9jaa2a0814cee3ca55@mail.gmail.com> <20080512121737.GA5688@msgids.ruediger-kuhlmann.de> <96e269140805120801s5aa23cc9p37c200bedb59ba95@mail.gmail.com> Message-ID: <20080513121005.GA7120@thunk.cs.uwaterloo.ca> On Tue, May 13, 2008 at 01:01:55AM +1000, Scott Ellis wrote: > > > > Uhm. I can only find one place where it mentiones HTML at all. And while > > it > > mentions that it may contain markup, it still doesn't qualify as allowing > > to > > put HTML into a place where only text/plain is allowed. Of course the text > > to encrypt may contain HTML, if an HTML message is about to be sent. Just > > as > > it may contain rtf, M$ .doc or any other markup if that is what is to be > > sent. But the data type of the data to be encrypted can only be determined > > by the underlying protocol, otherwise an extensive chapter on integration > > would HAVE to be part of the spec. It isn't. > > > The actual text transferred over the underlying protocol is made up of > plaintext chars - and as such none of the rules of the underlying protocol > are being broken. Even jabber XEPs cannot lay claim to the *meaning* of > plaintext within messages - just as you and a friend are not prevented from > using some code language you make up yourselves over jabber. Under this > interpretation the unencrpyted messages of OTR conversations have nothing to > do with the transport protocol. The phrase that was used by the developers > in my earlier conversations on this topic was 'higher level protocol'. It's > ugly and inconvenient to most of us, but it does make sense from a certain > point of view. > > It claims that using libOTR is > > as simple as replacing the plain text with the output of the function. > > > You're very right there - in most cases it doesn't perform 'as advertised'. > But it does work that way for a lot of clients - almost anything Qt or Java > based, for example. > > Can I suggest this discussion continue on the dev mailing list though? Agreed. I'll start a thread over there. - Ian From gmaxwell at gmail.com Sat May 17 00:20:05 2008 From: gmaxwell at gmail.com (Gregory Maxwell) Date: Sat, 17 May 2008 00:20:05 -0400 Subject: [OTR-users] Debian OpenSSL weak PRNG - OTR vulnerable? Message-ID: Some sort of statement should probably be made about the security of user identities with respect to the recently uncovered issue with Debian's patches to OpenSSL. From esurnir at gmail.com Sat May 17 00:27:02 2008 From: esurnir at gmail.com (Jean-Baptiste Zeller) Date: Sat, 17 May 2008 00:27:02 -0400 Subject: [OTR-users] Debian OpenSSL weak PRNG - OTR vulnerable? In-Reply-To: References: Message-ID: <482E5E96.2040004@gmail.com> Gregory Maxwell wrote: > Some sort of statement should probably be made about the security of > user identities with respect to the recently uncovered issue with > Debian's patches to OpenSSL. > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users OTR don't use a single line of code from OpenSSL, the prng used is based on the libgcrypt library, which isn't concerned as far as I know. So I guess we can sleep well now that it's covered. Jean-Baptiste Zeller -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: From ananda.kumar.samaddar at googlemail.com Sat May 17 12:52:10 2008 From: ananda.kumar.samaddar at googlemail.com (Ananda Samaddar) Date: Sat, 17 May 2008 17:52:10 +0100 Subject: [OTR-users] OTR messaging is vulnerable to censorship Message-ID: <20080517175210.0caf7b1b@ananda-dell> Hi, all Apologies if this has already been discussed, I've googled this and the mailing list archives do not appear to be searchable. I'm no security or networking expert but consider myself to be a reasonably competent Debian user. Out of curiosity I ran Wireshark to do some traffic logging whilst engaged in an OTR chat session. From this I discovered that all OTR messages begin with the string '?OTR:' (without quotes). Surely this means that IM providers could simply block OTR messages by blocking all messages that contain the string '?OTR:'. There is a precedent to potential blocking already established. MSN / Windows Live messaging already blocks certain urls on their network particularly ones containing php links. There is also speculation that they might be blocking youtube links. This is of concern to me as I use OTR to talk to friends in the PRC, and it's well known that they heavily censor internet use in that country. If anyone can point me to a thread where this has already been discussed then please do. regards, Ananda Samaddar From esurnir at gmail.com Sat May 17 13:19:12 2008 From: esurnir at gmail.com (Esurnir) Date: Sat, 17 May 2008 13:19:12 -0400 Subject: [OTR-users] OTR messaging is vulnerable to censorship In-Reply-To: <20080517175210.0caf7b1b@ananda-dell> References: <20080517175210.0caf7b1b@ananda-dell> Message-ID: <78ce815d0805171019m4e9a2358p2610bae879476ed9@mail.gmail.com> Suppressing ?OTR: bring some problem, namely identify which message is a plaintext and which is an otr message (example of such case, where a plaintext could arrive when they are the least expected would be if one of the client crash and the guy in question log back in). To evade such possible censorship problem would be to make the traffic indistinguishable from normal message. Obfuscating it. Now the problem is to keep the condition the deniability and malleability of OTR while obfuscating it, sounds difficult. If we reveal an obfuscating encryption key to keep it, the whole problem would be when to reveal it, cause after being revealed an automated could then reveal that all the past message have been OTR message and block further ones. On Sat, May 17, 2008 at 12:52 PM, Ananda Samaddar < ananda.kumar.samaddar at googlemail.com> wrote: > Hi, all > > Apologies if this has already been discussed, I've googled this and the > mailing list archives do not appear to be searchable. > > I'm no security or networking expert but consider myself to be a > reasonably competent Debian user. Out of curiosity I ran Wireshark to > do some traffic logging whilst engaged in an OTR chat session. From > this I discovered that all OTR messages begin with the string > '?OTR:' (without quotes). > > Surely this means that IM providers could simply block OTR messages by > blocking all messages that contain the string '?OTR:'. There is a > precedent to potential blocking already established. MSN / Windows > Live messaging already blocks certain urls on their network > particularly ones containing php links. There is also speculation that > they might be blocking youtube links. > > This is of concern to me as I use OTR to talk to friends in the PRC, > and it's well known that they heavily censor internet use in that > country. > > If anyone can point me to a thread where this has already been > discussed then please do. > > regards, > > Ananda Samaddar > > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > -- Jean-Baptiste Zeller GPG Keyid 0xF96A37EB -------------- next part -------------- An HTML attachment was scrubbed... URL: From chazefroy at gmail.com Sat May 17 16:42:20 2008 From: chazefroy at gmail.com (ChazeFroy) Date: Sat, 17 May 2008 16:42:20 -0400 Subject: [OTR-users] OTR support for bitlbee Message-ID: <8ba68aae0805171342m3679df04se06786f5c0bf1c6b@mail.gmail.com> A couple of months ago, "Pesco" published support for OTR using the bitlbee client. This is quite significant as it is the first multi-protocol command-line client to support OTR. This also allows users to simply "screen" their IM on a shell somewhere without needing all of the GUI stuff required by previous clients that supported OTR (or the GUI-only OTR proxy). Furthermore, this could be a good starting point for those wishing to implement OTR support for other CLI clients, such as Finch. Here is the announcement: http://bugs.bitlbee.org/bitlbee/ticket/115 To obtain the code, you must have "bazaar" installed (www.bazaar-ng.org). It also requires libotr 3.1. To download it, simply run: bzr checkout http://khjk.org/~pesco/bitlbee-otr/ I have not seen an ETA on when OTR support will be included in the next release of bitlbee, but hopefully it will be soon. Can the OTR admins link this news to their website so others will know about it? From js-otrim at webkeks.org Sat May 17 17:00:09 2008 From: js-otrim at webkeks.org (Jonathan Schleifer) Date: Sat, 17 May 2008 23:00:09 +0200 Subject: [OTR-users] OTR support for bitlbee In-Reply-To: <8ba68aae0805171342m3679df04se06786f5c0bf1c6b@mail.gmail.com> References: <8ba68aae0805171342m3679df04se06786f5c0bf1c6b@mail.gmail.com> Message-ID: <20080517230009.7aa93fc5@webkeks.org> ChazeFroy wrote: > This is quite significant as it is the first multi-protocol > command-line client to support OTR. This also allows users to simply > "screen" their IM on a shell somewhere without needing all of the GUI > stuff required by previous clients that supported OTR (or the > GUI-only OTR proxy). Wrong. centericq already supports it and it's, though the name says otherwise, multi IM. -- Jonathan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From chazefroy at gmail.com Sat May 17 18:35:30 2008 From: chazefroy at gmail.com (ChazeFroy) Date: Sat, 17 May 2008 18:35:30 -0400 Subject: [OTR-users] OTR support for bitlbee In-Reply-To: <20080517230009.7aa93fc5@webkeks.org> References: <8ba68aae0805171342m3679df04se06786f5c0bf1c6b@mail.gmail.com> <20080517230009.7aa93fc5@webkeks.org> Message-ID: <8ba68aae0805171535k1a7b1938v1d215a2824450f0@mail.gmail.com> On Sat, May 17, 2008 at 5:00 PM, Jonathan Schleifer wrote: > > Wrong. centericq already supports it and it's, though the name says > otherwise, multi IM. Ah, good to know. I didn't see it on OTR's website, and nothing is mentioned on centericq's website at http://thekonst.net/en/centericq. Where is more information about it? Did you mean mICQ/climm? From js-otrim at webkeks.org Sat May 17 18:42:51 2008 From: js-otrim at webkeks.org (Jonathan Schleifer) Date: Sun, 18 May 2008 00:42:51 +0200 Subject: [OTR-users] OTR support for bitlbee In-Reply-To: <8ba68aae0805171535k1a7b1938v1d215a2824450f0@mail.gmail.com> References: <8ba68aae0805171342m3679df04se06786f5c0bf1c6b@mail.gmail.com> <20080517230009.7aa93fc5@webkeks.org> <8ba68aae0805171535k1a7b1938v1d215a2824450f0@mail.gmail.com> Message-ID: <20080518004251.090b4038@webkeks.org> ChazeFroy wrote: > I didn't see it on OTR's website, and nothing is mentioned on > centericq's website at http://thekonst.net/en/centericq. Where is > more information about it? Did you mean mICQ/climm? It's for example listed on Wikipedia. And no, I mean centericq. -- Jonathan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From chazefroy at gmail.com Sat May 17 21:23:49 2008 From: chazefroy at gmail.com (ChazeFroy) Date: Sat, 17 May 2008 21:23:49 -0400 Subject: [OTR-users] OTR support for bitlbee In-Reply-To: <20080518004251.090b4038@webkeks.org> References: <8ba68aae0805171342m3679df04se06786f5c0bf1c6b@mail.gmail.com> <20080517230009.7aa93fc5@webkeks.org> <8ba68aae0805171535k1a7b1938v1d215a2824450f0@mail.gmail.com> <20080518004251.090b4038@webkeks.org> Message-ID: <8ba68aae0805171823xb361cdl59f61928637b9972@mail.gmail.com> On Sat, May 17, 2008 at 6:42 PM, Jonathan Schleifer wrote: > > It's for example listed on Wikipedia. And no, I mean centericq. Centericq does not have it, but Centerim (http://www.centerim.org) does. According to its changelog, it looks like Centerim added OTR support for Jabber in August 2007. Does it work with Oscar, Yahoo, MSN, etc? Could somebody update the OTR webpage to list both Centerim and Bitlbee as supporting OTR now? From perrin at apotheon.com Sun May 18 13:46:00 2008 From: perrin at apotheon.com (Chad Perrin) Date: Sun, 18 May 2008 11:46:00 -0600 Subject: [OTR-users] OTR support for bitlbee In-Reply-To: <8ba68aae0805171823xb361cdl59f61928637b9972@mail.gmail.com> References: <8ba68aae0805171342m3679df04se06786f5c0bf1c6b@mail.gmail.com> <20080517230009.7aa93fc5@webkeks.org> <8ba68aae0805171535k1a7b1938v1d215a2824450f0@mail.gmail.com> <20080518004251.090b4038@webkeks.org> <8ba68aae0805171823xb361cdl59f61928637b9972@mail.gmail.com> Message-ID: <20080518174600.GA96475@demeter.hydra> On Sat, May 17, 2008 at 09:23:49PM -0400, ChazeFroy wrote: > On Sat, May 17, 2008 at 6:42 PM, Jonathan Schleifer > wrote: > > > > It's for example listed on Wikipedia. And no, I mean centericq. > > Centericq does not have it, but Centerim (http://www.centerim.org) > does. According to its changelog, it looks like Centerim added OTR > support for Jabber in August 2007. Does it work with Oscar, Yahoo, > MSN, etc? > > Could somebody update the OTR webpage to list both Centerim and > Bitlbee as supporting OTR now? I looked into this a while ago, talked to some of the CenterIM people, because I like CenterIM's interface (and that of CenterICQ, which I had discovered first back in 2003). Apparently, the OTR support was only for one protocol, and was less than perfectly stable because nobody's supporting that functionality now. That, at least, is the impression I got from speaking to several of the CenterIM folks in IRC last year. If there's more/new information suggesting that it works with more protocols, I'd love to hear it. I, unfortunately, don't have the time and familiarity right now to improve OTR support in CenterIM myself, but I'd love to see that support improve so I could finally ditch Pidgin. I recall choosing to forego Bitlbee for some reason, but don't remember why. I guess I'll have another look at it and see if it's something I want to use now. -- Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ] Leon Festinger: "A man with a conviction is a hard man to change. Tell him you disagree and he turns away. Show him facts and figures and he questions your sources. Appeal to logic and he fails to see your point." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available URL: From william at escapevelocitypub.com Sun May 18 17:44:16 2008 From: william at escapevelocitypub.com (William) Date: Sun, 18 May 2008 17:44:16 -0400 Subject: [OTR-users] pidgin-otr install errors Message-ID: <4830A330.10502@escapevelocitypub.com> Hello, I'm currently trying to re-install pidgin-otr-3.1.0 on Mandriva2006. I had it working once but had to do a OS re-install Running Pidgin 2.2.2 I run: ./configure --prefix=/usr and get the following error: checking for otrl_message_receiving in -lotr... yes checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for EXTRA... configure: error: Package requirements (glib-2.0 >= 2.6 gtk+-2.0 >= 2.6 pidgin >= 2.0 purple >= 2.0) were not met: Package pidgin was not found in the pkg-config search path. Perhaps you should add the directory containing `pidgin.pc' to the PKG_CONFIG_PATH environment variable No package 'pidgin' found Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables EXTRA_CFLAGS and EXTRA_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. From js-otrim at webkeks.org Mon May 19 06:12:39 2008 From: js-otrim at webkeks.org (Jonathan Schleifer) Date: Mon, 19 May 2008 12:12:39 +0200 Subject: [OTR-users] pidgin-otr install errors In-Reply-To: <4830A330.10502@escapevelocitypub.com> References: <4830A330.10502@escapevelocitypub.com> Message-ID: <20080519121239.0521eaea@webkeks.org> William wrote: > Running Pidgin 2.2.2 Why are you using such an old version? > checking for EXTRA... configure: error: Package requirements > (glib-2.0 > >= 2.6 gtk+-2.0 >= 2.6 pidgin >= 2.0 purple >= 2.0) were not met: > > Package pidgin was not found in the pkg-config search path. This tells you just what I told you in the first line of this mail: Your pidgin version is way too old. -- Jonathan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From chazefroy at gmail.com Mon May 19 07:54:08 2008 From: chazefroy at gmail.com (ChazeFroy) Date: Mon, 19 May 2008 07:54:08 -0400 Subject: [OTR-users] OTR support for bitlbee In-Reply-To: <20080518174600.GA96475@demeter.hydra> References: <8ba68aae0805171342m3679df04se06786f5c0bf1c6b@mail.gmail.com> <20080517230009.7aa93fc5@webkeks.org> <8ba68aae0805171535k1a7b1938v1d215a2824450f0@mail.gmail.com> <20080518004251.090b4038@webkeks.org> <8ba68aae0805171823xb361cdl59f61928637b9972@mail.gmail.com> <20080518174600.GA96475@demeter.hydra> Message-ID: <8ba68aae0805190454x67fd5d5ex4261897942c7ce4d@mail.gmail.com> On Sun, May 18, 2008 at 1:46 PM, Chad Perrin wrote: > > I looked into this a while ago, talked to some of the CenterIM people, > because I like CenterIM's interface (and that of CenterICQ, which I had > discovered first back in 2003). Apparently, the OTR support was only for > one protocol, and was less than perfectly stable because nobody's > supporting that functionality now. That, at least, is the impression I > got from speaking to several of the CenterIM folks in IRC last year. That's what I've read from CenterIM's website, too. Bitlbee seems to support more than one protocol, which is a good thing. I used Bitlbee with OTR for about 24 hours and it seemed fine 99% of the time. However, it seemed that when it got an unexpected OTR message, it would disconnect completely from the network. If it ran into this issue during the first session after you initially set up your account (without quitting or bouncing it), it would even forget your account details (username, network, everything). I have not yet filed a bug report because I cannot reliably reproduce it. Hopefully this random bug will get fixed once the OTR code makes its way into the official distribution. From samslists at gmail.com Mon May 19 18:48:35 2008 From: samslists at gmail.com (Sam's Lists) Date: Mon, 19 May 2008 15:48:35 -0700 Subject: [OTR-users] Openssl fiasco and otr... Message-ID: <558124520805191548p5aec305x198513a76fb43355@mail.gmail.com> Hi... I'm 99% positive the answer is that otr in no relies on any of the openssl infrastructure. But given the recent Debian/Ubuntu fiasco I just want to double check. Can someone confirm that I have nothing to worry about? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From esurnir at gmail.com Mon May 19 18:57:00 2008 From: esurnir at gmail.com (Jean-Baptiste Zeller) Date: Mon, 19 May 2008 18:57:00 -0400 Subject: [OTR-users] Openssl fiasco and otr... In-Reply-To: <558124520805191548p5aec305x198513a76fb43355@mail.gmail.com> References: <558124520805191548p5aec305x198513a76fb43355@mail.gmail.com> Message-ID: <483205BC.2000705@gmail.com> Sam's Lists wrote: > Hi... > > I'm 99% positive the answer is that otr in no relies on any of the > openssl infrastructure. But given the recent Debian/Ubuntu fiasco I > just want to double check. Can someone confirm that I have nothing to > worry about? > > Thanks OTR don't use a single line of code from OpenSSL, the prng used is the one in the libgcrypt library, which isn't concerned as far as I know. So I guess we can sleep well now that it's covered. Jean-Baptiste Zeller -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3307 bytes Desc: S/MIME Cryptographic Signature URL: From zythrix at gmail.com Tue May 20 03:30:31 2008 From: zythrix at gmail.com (Zythrix) Date: Tue, 20 May 2008 00:30:31 -0700 Subject: [OTR-users] OTR with PortableApps.com Pidgin Message-ID: <3869c3f00805200030m2855fc09l545a09f1a1f548b3@mail.gmail.com> Okay, I've had 100% success in getting this wonderful application to work with Pidgin, but quite often I find myself using the PortableApps.com version from my flash drive. With this version I cannot use the Pidgin-OTR installer (it doesn't find the installtion in the registry so I can't install) and I had my friend send me the files from his pidgin-otr directory, but that didn't work either. What I'm getting at is, have any of you gotten Pidgin-OTR to work on Pidgin portable or the PortableApps.com Pidgin? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From roy at rant-central.com Tue May 20 06:10:21 2008 From: roy at rant-central.com (Roy M. Silvernail) Date: Tue, 20 May 2008 06:10:21 -0400 Subject: [OTR-users] OTR with PortableApps.com Pidgin In-Reply-To: <3869c3f00805200030m2855fc09l545a09f1a1f548b3@mail.gmail.com> References: <3869c3f00805200030m2855fc09l545a09f1a1f548b3@mail.gmail.com> Message-ID: <4832A38D.3070802@rant-central.com> Zythrix wrote: > Okay, I've had 100% success in getting this wonderful application to work > with Pidgin, but quite often I find myself using the PortableApps.com > version from my flash drive. With this version I cannot use the Pidgin-OTR > installer (it doesn't find the installtion in the registry so I can't > install) and I had my friend send me the files from his pidgin-otr > directory, but that didn't work either. What I'm getting at is, have any of > you gotten Pidgin-OTR to work on Pidgin portable or the PortableApps.com > Pidgin? Check out the OTR-Portable installer. http://sourceforge.net/project/showfiles.php?group_id=151265 -- Roy M. Silvernail is roy at rant-central.com, and you're not "It's just this little chromium switch, here." - TFT http://www.rant-central.com From ian at cypherpunks.ca Fri May 23 10:00:01 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 23 May 2008 10:00:01 -0400 Subject: [OTR-users] pidgin-otr install errors In-Reply-To: <20080519121239.0521eaea@webkeks.org> References: <4830A330.10502@escapevelocitypub.com> <20080519121239.0521eaea@webkeks.org> Message-ID: <20080523140001.GL28889@thunk.cs.uwaterloo.ca> On Mon, May 19, 2008 at 12:12:39PM +0200, Jonathan Schleifer wrote: > William wrote: > > > Running Pidgin 2.2.2 > > Why are you using such an old version? > > > checking for EXTRA... configure: error: Package requirements > > (glib-2.0 > > >= 2.6 gtk+-2.0 >= 2.6 pidgin >= 2.0 purple >= 2.0) were not met: > > > > Package pidgin was not found in the pkg-config search path. > > This tells you just what I told you in the first line of this mail: > Your pidgin version is way too old. Huh? OTR works fine with pidgin >= 2.0, as the above line indicates. 2.2.2 should pose no problem. What's probably happening is that your OS reinstall failed to install the -dev (sometimes called -devel) version of the pidgin package. That package contains pidgin.pc, as well as the pidgin header files needed to compile pidgin plugins like pidgin-otr. - Ian From william at escapevelocitypub.com Fri May 23 11:41:21 2008 From: william at escapevelocitypub.com (William) Date: Fri, 23 May 2008 11:41:21 -0400 Subject: [OTR-users] pidgin-otr install errors In-Reply-To: <20080523140001.GL28889@thunk.cs.uwaterloo.ca> References: <4830A330.10502@escapevelocitypub.com> <20080519121239.0521eaea@webkeks.org> <20080523140001.GL28889@thunk.cs.uwaterloo.ca> Message-ID: <4836E5A1.9070904@escapevelocitypub.com> Hey Ian, Thanks for the suggestion. I finally got it though, and I'm using v 2.4.2 Sorry for the caps, but I just copied and pasted the below from the notes I'm saving for future reference. "export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH BEFORE YOU RUN THE ./CONFIG STRING IN THE PIDGIN-OTR SOURCE DIRECTORY! THEN.......... YOU HAVE TO COPY ALL THE OTR FILES FROM /USR/LIB/PIDGIN TO /USR/LOCAL/LIB/PIDGIN TO GET THE PLUGIN TO SHOW UP IN THE PIDGIN TOOLS MENU!" Ian Goldberg wrote: > On Mon, May 19, 2008 at 12:12:39PM +0200, Jonathan Schleifer wrote: > >> William wrote: >> >> >>> Running Pidgin 2.2.2 >>> >> Why are you using such an old version? >> >> >>> checking for EXTRA... configure: error: Package requirements >>> (glib-2.0 >>> >= 2.6 gtk+-2.0 >= 2.6 pidgin >= 2.0 purple >= 2.0) were not met: >>> >>> Package pidgin was not found in the pkg-config search path. >>> >> This tells you just what I told you in the first line of this mail: >> Your pidgin version is way too old. >> > > Huh? OTR works fine with pidgin >= 2.0, as the above line indicates. > 2.2.2 should pose no problem. > > What's probably happening is that your OS reinstall failed to install > the -dev (sometimes called -devel) version of the pidgin package. > > That package contains pidgin.pc, as well as the pidgin header files > needed to compile pidgin plugins like pidgin-otr. > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > > From mwirth at adobe.com Tue May 27 18:45:33 2008 From: mwirth at adobe.com (Mike Wirth) Date: Tue, 27 May 2008 15:45:33 -0700 Subject: [OTR-users] Using OTR clients for visually impaired users? Message-ID: Folks, I work with several visually impaired engineers here at Adobe Systems (on ways to make Acrobat PDF files more accessible to the blind, of course). We have an internal Jabber server, which is normally used for work-related IM traffic, and which is also available when offsite (over VPN). But of the known IM clients, the only one which is accessible to blind users (via screen reader software, e.g., JAWS on Windows) is AIM. One solution for us to communicate might be to use AOL IM accounts. But this exposes work-related traffic to the open Internet. Therefore, I?d like to use OTR to encrypt the AIM traffic to and from the AIM server. Additional complications: * I?m typically running Adium on a Mac at my end which shouldn?t be an issue for OTR and which allows me to talk to people on the internal Jabber server, as well as AOL IM, simultaneously. * Both I and the blind user may be remote, i.e., connected via VPN, which may complicate the proxy configuration. My questions: 1. Is there a Jabber client which is ?accessible? (i.e., usable via a screen reader)? If so, this would be the simplest solution. 2. If not, and we have to use AIM, what?s the appropriate OTR setup? Something like: ---------------..... {Internet}...-------...{Internet}...--------- Any advice would be appreciated, Mike Wirth -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at cypherpunks.ca Tue May 27 20:13:46 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 27 May 2008 20:13:46 -0400 Subject: [OTR-users] Using OTR clients for visually impaired users? In-Reply-To: References: Message-ID: <20080528001346.GH30190@yoink.cs.uwaterloo.ca> On Tue, May 27, 2008 at 03:45:33PM -0700, Mike Wirth wrote: > Folks, > > I work with several visually impaired engineers here at Adobe Systems (on > ways to make Acrobat PDF files more accessible to the blind, of course). We > have an internal Jabber server, which is normally used for work-related IM > traffic, and which is also available when offsite (over VPN). But of the > known IM clients, the only one which is accessible to blind users (via > screen reader software, e.g., JAWS on Windows) is AIM. > > One solution for us to communicate might be to use AOL IM accounts. But > this exposes work-related traffic to the open Internet. Therefore, I?d like > to use OTR to encrypt the AIM traffic to and from the AIM server. > > Additional complications: > * I?m typically running Adium on a Mac at my end which shouldn?t be an issue > for OTR and which allows me to talk to people on the internal Jabber server, > as well as AOL IM, simultaneously. > * Both I and the blind user may be remote, i.e., connected via VPN, which > may complicate the proxy configuration. > > My questions: > 1. Is there a Jabber client which is ?accessible? (i.e., usable via a screen > reader)? If so, this would be the simplest solution. > 2. If not, and we have to use AIM, what?s the appropriate OTR setup? > Something like: > > ------ proxy>---------..... > > {Internet}...-------...{Internet}... connection>--------- > > Any advice would be appreciated, Interesting question. Would a command-line OTR-aware client like climm be easier for a screen reader to handle? - Ian From js-otrim at webkeks.org Wed May 28 09:55:27 2008 From: js-otrim at webkeks.org (Jonathan Schleifer) Date: Wed, 28 May 2008 15:55:27 +0200 Subject: [OTR-users] Using OTR clients for visually impaired users? In-Reply-To: References: Message-ID: <20080528155527.1a6811b1@webkeks.org> Have a look at mcabber. It a console based Jaber client which also supports OTR. If you have to use Windows machines, you could just setup a server in the internal network that runs mcabber for those, so they can ssh to it. I don't know how easy to use that would be for visually impaired users, but I have often read that console programs on a unix are the easiest to use for them. -- Jonathan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: