From paul at cypherpunks.ca Tue Jun 1 09:39:51 2010 From: paul at cypherpunks.ca (Paul Wouters) Date: Tue, 1 Jun 2010 09:39:51 -0400 (EDT) Subject: [OTR-users] OTR for android mobiles In-Reply-To: <20100529155513.GA87292@guilt.hydra> References: <4BFCBEFB.8000402@inbox.com> <20100529155513.GA87292@guilt.hydra> Message-ID: On Sat, 29 May 2010, Chad Perrin wrote: > I talked to Moxie in #whispersystems today. He is *not* intending to > release either RedPhone or TextSecure under the terms of an open source > license. He only means to make it available under the terms of a license > that allows *auditing* the source code. I find that pretty > disappointing, but it's better (for security purposes) than just keeping > the source code entirely under wraps (as long as you trust him to use the > source you can actually audit in his distributed applications). But what's in it for the auditors? If he does not want to play with the open source resources, why would the open source community help him out audit his code? There are perfectly fine auditors you can buy if you are a commercial company. I'm said he choose to go that way. As for redphone, I guess I just don't like the zphone "hack". I prefer a real protocol over a "hook into existing protocols" hack. And we have protocols that work fine for encrypting voice of streams. zphone is meant to "catch" proprietary sip implementations and encrypt them. If you start from scratch, you might as well just encrypt your sip stream. Paul From thesoulmarket at googlemail.com Tue Jun 1 14:46:16 2010 From: thesoulmarket at googlemail.com (D H) Date: Tue, 1 Jun 2010 20:46:16 +0200 Subject: [OTR-users] OTR with pidgin, question Message-ID: Hello alltogether, i newly use jabber with pidgin (on mac os x 1.4.11) and experience some problems with off the record - authentification. when i want to use authentification settings - advanced, the window just disappears. Is this a known bug? I can enter "secrets" asked from me by others, but i cannot ask them myself. Also when i authenticate a friend, she gets the message "an error occurred during auhtentification" my contacts mostly use linux or windows. Pidgin crew tells me, it`s a third party plugin problem, and so I am here now. ^^ Can you help me in this matter? greetings, D -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at cypherpunks.ca Tue Jun 1 16:29:18 2010 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 1 Jun 2010 16:29:18 -0400 Subject: [OTR-users] OTR with pidgin, question In-Reply-To: References: Message-ID: <20100601202918.GJ13858@yoink.cs.uwaterloo.ca> On Tue, Jun 01, 2010 at 08:46:16PM +0200, D H wrote: > Hello alltogether, > > i newly use jabber with pidgin (on mac os x 1.4.11) and experience some > problems > with off the record - authentification. when i want to use > authentification settings - advanced, the window just disappears. Is this > a known bug? I can enter "secrets" asked from me by others, but i cannot > ask them myself. Also when i authenticate a friend, she gets the message > "an error occurred during auhtentification" > my contacts mostly use linux or windows. > > Pidgin crew tells me, it`s a third party plugin problem, and so I am here > now. ^^ I suppose it could be. I didn't even know you *could* run pidgin on osx. Do you know who built the pidgin-otr package you're using? (What version of pidgin-otr is it?) Unfortunately, I don't have an osx machine, so I've got no way to debug this myself. - Ian From oscar at diedrichs.nu Wed Jun 2 01:05:42 2010 From: oscar at diedrichs.nu (Oscar Diedrichs) Date: Wed, 2 Jun 2010 07:05:42 +0200 Subject: [OTR-users] OTR with pidgin, question In-Reply-To: <20100601202918.GJ13858@yoink.cs.uwaterloo.ca> References: <20100601202918.GJ13858@yoink.cs.uwaterloo.ca> Message-ID: <54005196-C230-44BC-BBC7-BEE52122AE6F@diedrichs.nu> Is there a reason for not using Adium? mvh Oscar Diedrichs Oscar Diedrichs +46(0)739186339 oscar at diedrichs.nuSval?vsv?gen 6 121 53 Johanneshov On Jun 1, 2010, at 10:29 PM, Ian Goldberg wrote: > On Tue, Jun 01, 2010 at 08:46:16PM +0200, D H wrote: >> Hello alltogether, >> >> i newly use jabber with pidgin (on mac os x 1.4.11) and experience some >> problems >> with off the record - authentification. when i want to use >> authentification settings - advanced, the window just disappears. Is this >> a known bug? I can enter "secrets" asked from me by others, but i cannot >> ask them myself. Also when i authenticate a friend, she gets the message >> "an error occurred during auhtentification" >> my contacts mostly use linux or windows. >> >> Pidgin crew tells me, it`s a third party plugin problem, and so I am here >> now. ^^ > > I suppose it could be. I didn't even know you *could* run pidgin on > osx. Do you know who built the pidgin-otr package you're using? > (What version of pidgin-otr is it?) Unfortunately, I don't have an osx > machine, so I've got no way to debug this myself. > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Molafil21 at caramail.com Sat Jun 5 15:54:38 2010 From: Molafil21 at caramail.com (Molafil21 at caramail.com) Date: Sat, 05 Jun 2010 21:54:38 +0200 Subject: [OTR-users] Various bugs with Pidgin (2.7.1) Message-ID: <20100605195438.308650@gmx.com> ?Hello. I found various bugs with Pidgin (2.7.1) : 1. There is an error message when our contact uses the /nudge (msn) or /buzz (xmpp) commands ("Attention!" button). This one says that the message could not be encrypted. 2. At each installation of a new version of Pidgin, the icon of OTR is not any more there in the window of conversation. 3. When a contact has a disconnection, it would be necessary that OTR is disconnected automatically at the 2 contacts or that all is refreshed automatically everywhere. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Molafil21 at caramail.com Sat Jun 5 16:00:25 2010 From: Molafil21 at caramail.com (Molafil21 at caramail.com) Date: Sat, 05 Jun 2010 22:00:25 +0200 Subject: [OTR-users] Crash with the Windows version of Pidgin (Access Violation) Message-ID: <20100605200356.308650@gmx.com> Hi. Could you go to see this problem ( http://developer.pidgin.im/ticket/12113 ), please? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at cypherpunks.ca Sat Jun 5 21:33:23 2010 From: ian at cypherpunks.ca (Ian Goldberg) Date: Sat, 5 Jun 2010 21:33:23 -0400 Subject: [OTR-users] Crash with the Windows version of Pidgin (Access Violation) In-Reply-To: <20100605200356.308650@gmx.com> References: <20100605200356.308650@gmx.com> Message-ID: <20100606013323.GA28761@yoink.cs.uwaterloo.ca> On Sat, Jun 05, 2010 at 10:00:25PM +0200, Molafil21 at caramail.com wrote: > Hi. > > Could you go to see this problem ( > http://developer.pidgin.im/ticket/12113 ), please? Yup, it looks like Pidgin 2.7.* changed something about how cleanup is done when pidgin exits; it's possible pidgin-otr was relying on the old behaviour. I'd be very grateful if someone could track down the cause of this problem. (Or even say whether it happens on Linux, or just on Windows.) Thanks, - Ian From ian at cypherpunks.ca Sat Jun 5 21:35:05 2010 From: ian at cypherpunks.ca (Ian Goldberg) Date: Sat, 5 Jun 2010 21:35:05 -0400 Subject: [OTR-users] Various bugs with Pidgin (2.7.1) In-Reply-To: <20100605195438.308650@gmx.com> References: <20100605195438.308650@gmx.com> Message-ID: <20100606013505.GB28761@yoink.cs.uwaterloo.ca> On Sat, Jun 05, 2010 at 09:54:38PM +0200, Molafil21 at caramail.com wrote: > ?Hello. > > I found various bugs with Pidgin (2.7.1) : > > 1. There is an error message when our contact uses the /nudge (msn) or /buzz (xmpp) commands ("Attention!" button). This one says that the message could not be encrypted. > > 2. At each installation of a new version of Pidgin, the icon of OTR is not any more there in the window of conversation. > > 3. When a contact has a disconnection, it would be necessary that OTR is disconnected automatically at the 2 contacts or that all is refreshed automatically everywhere. It looks like 2.7.* changed some things. Hopefully someone can find some time to take a look. Thanks for reporting it! - Ian From Molafil21 at caramail.com Sun Jun 6 08:10:08 2010 From: Molafil21 at caramail.com (Molafil21 at caramail.com) Date: Sun, 06 Jun 2010 14:10:08 +0200 Subject: [OTR-users] Re : Re: Various bugs with Pidgin (2.7.1) Message-ID: <20100606122047.308640@gmx.com> On Sat, Jun 05, 2010 at 11:54:38PM +0200, ian at cypherpunks.ca wrote: > On Sat, Jun 05, 2010 at 09:54:38PM +0200, Molafil21 at caramail.com wrote: >> ?Hello. >> >> I found various bugs with Pidgin (2.7.1) : >> >> 1. There is an error message when our contact uses the /nudge (msn) or /buzz (xmpp) commands ("Attention!" button). This one says that the message could not be encrypted. >> >> 2. At each installation of a new version of Pidgin, the icon of OTR is not any more there in the window of conversation. >> >> 3. When a contact has a disconnection, it would be necessary that OTR is disconnected automatically at the 2 contacts or that all is refreshed automatically everywhere. > > It looks like 2.7.* changed some things. Hopefully someone can find > some time to take a look. In fact, separately the first bug, the two others were already there since? the 2.5.8, at least. -- Molafil21 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Molafil21 at caramail.com Sun Jun 6 08:42:05 2010 From: Molafil21 at caramail.com (Molafil21 at caramail.com) Date: Sun, 06 Jun 2010 14:42:05 +0200 Subject: [OTR-users] Re : Re: Crash with the Windows version of Pidgin (Access Violation) Message-ID: <20100606124214.308620@gmx.com> ?On Sat, Jun 05, 2010 at 11:00:25PM +0200, ian at cypherpunks.ca callgate-6.9.2.0/rms/6.9.2.0/mail/getBody?folderId=2&messageId=pPJjASVQbHIMZDbk1Tc01y4qJihyalDc&purpose=display&bodyType=html# wrote: > On Sat, Jun 05, 2010 at 10:00:25PM +0200, Molafil21 at caramail.com callgate-6.9.2.0/rms/6.9.2.0/mail/getBody?folderId=2&messageId=pPJjASVQbHIMZDbk1Tc01y4qJihyalDc&purpose=display&bodyType=html# wrote: >> Hi. >> >> Could you go to see this problem ( >> http://developer.pidgin.im/ticket/12113 http://developer.pidgin.im/ticket/12113 ), please? > > Yup, it looks like Pidgin 2.7.* changed something about how cleanup is > done when pidgin exits; it's possible pidgin-otr was relying on the old > behaviour. > > I'd be very grateful if someone could track down the cause of this > problem. (Or even say whether it happens on Linux, or just on Windows.) I am under Windows XP SP3 and I have this problem. It was already there before the 2.7.*. I will do you a screenshot of the error message when that reproduces and will provide the pidgin.RPT and debug.log files. -- Molafil21 -------------- next part -------------- An HTML attachment was scrubbed... URL: From gdt at ir.bbn.com Tue Jun 8 20:20:20 2010 From: gdt at ir.bbn.com (Greg Troxel) Date: Tue, 08 Jun 2010 20:20:20 -0400 Subject: [OTR-users] OTR with pidgin, question References: <20100601202918.GJ13858@yoink.cs.uwaterloo.ca> Message-ID: I use pidgin on OS X by compiling from pkgsrc, which is the native pkg system on netbsd and dragonfly, but also works on linux, solaris, and osx. I only use this once in a while, but pidgin-otr builds fine. But, it doesn't run because apparently the rpath-equivalent linking magic isn't right, and it fails to find a gtk symbol. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available URL: From dclark at pobox.com Sun Jun 20 23:37:33 2010 From: dclark at pobox.com (Daniel Clark) Date: Sun, 20 Jun 2010 23:37:33 -0400 Subject: [OTR-users] Reasonably secure conference / chat rooms now? Message-ID: Does anyone know of a way, using OTR related or other protocols, to do reasonably secure multi-party chat? I found the mpOTR paper - http://www.cypherpunks.ca/~iang/pubs/mpotr.pdf - but could not find any software that implements the protocol. Thanks for any leads, -- \|/ Daniel JB Clark | Activist; Owner FREEDOM -+-> INCLUDED ~ http://freedomincluded.com /|\ Free Software respecting hardware -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at cypherpunks.ca Mon Jun 21 11:15:37 2010 From: paul at cypherpunks.ca (Paul Wouters) Date: Mon, 21 Jun 2010 11:15:37 -0400 (EDT) Subject: [OTR-users] Reasonably secure conference / chat rooms now? In-Reply-To: References: Message-ID: On Sun, 20 Jun 2010, Daniel Clark wrote: > Does anyone know of a way, using OTR related or other protocols, to do reasonably secure multi-party chat? > I found the mpOTR paper - http://www.cypherpunks.ca/~iang/pubs/mpotr.pdf - but could not find any software that implements the protocol. Assuming you do not need deniability across multiple parties, the easy answer would be using a dedicated jabber server/room that only allows encrypted connections either via SSL or by only allowing VPN's access to the jabber service. That what my company uses right now. Paul From gmaxwell at gmail.com Mon Jun 21 12:25:41 2010 From: gmaxwell at gmail.com (Gregory Maxwell) Date: Mon, 21 Jun 2010 12:25:41 -0400 Subject: [OTR-users] Reasonably secure conference / chat rooms now? In-Reply-To: References: Message-ID: On Mon, Jun 21, 2010 at 11:15 AM, Paul Wouters wrote: > On Sun, 20 Jun 2010, Daniel Clark wrote: > >> Does anyone know of a way, using OTR related or other protocols, to do >> reasonably secure multi-party chat? >> I found the mpOTR paper - http://www.cypherpunks.ca/~iang/pubs/mpotr.pdf - >> but could not find any software that implements the protocol. > > Assuming you do not need deniability across multiple parties, the easy > answer would be using a dedicated jabber server/room that only allows > encrypted connections either via SSL or by only allowing VPN's > access to the jabber service. > > That what my company uses right now. Like many things in security the real concerns and threats are not black and white. You may not need strong deniability, ... but on the other hand the jabber server sees the cleartext of all participants and can be configured to log it (I understand this is even seen as an advantage of running your own jabber server). So it doesn't necessarily provide any deniability or even confidentiality if an attacker is able to gain access to the server, potentially in the far future. I hope that the difficulty of hard deniability, which is a nice thing to have but which has questionable _legal_ usefulness especially in the multi-party context, isn't getting in the way of anyone developing a solid multi-party chat protocol with strong group confidentiality. From mdvangundy at ucdavis.edu Mon Jun 21 16:45:41 2010 From: mdvangundy at ucdavis.edu (Matthew Van Gundy) Date: Mon, 21 Jun 2010 13:45:41 -0700 Subject: [OTR-users] Reasonably secure conference / chat rooms now? In-Reply-To: References: Message-ID: <4C1FCF75.2080107@ucdavis.edu> Gregory Maxwell wrote: >>> Does anyone know of a way, using OTR related or other protocols, to do >>> reasonably secure multi-party chat? >>> I found the mpOTR paper - http://www.cypherpunks.ca/~iang/pubs/mpotr.pdf - >>> but could not find any software that implements the protocol. The cryptographic protocols we presented in that paper makes certain assumptions about the underlying communication medium. I'm finishing work on the underlying protocol over this summer. Hopefully we can have a beta sometime before the end of the year. > You may not need strong deniability, ... but on the other hand the > jabber server sees the cleartext of all participants and can be > configured to log it (I understand this is even seen as an advantage > of running your own jabber server). So it doesn't necessarily provide > any deniability or even confidentiality if an attacker is able to gain > access to the server, potentially in the far future. Requiring a trusted server is a relevant concern. One of the primary motivations for our Multi-party Off-the-Record protocol was to remove the need for a trusted server. However, if you need a solution today, a private jabber server is probably your best bet. > I hope that the difficulty of hard deniability, which is a nice thing > to have but which has questionable _legal_ usefulness especially in > the multi-party context, isn't getting in the way of anyone developing > a solid multi-party chat protocol with strong group confidentiality. Actually, we've shown how to achieve strong deniability. The remaining challenge that we are addressing is ensuring consensus among mutually distrusting users without requiring a trusted server. Cheers, Matt -- Matt Van Gundy Ph.D. Student, University of California, Davis http://goliath.cs.ucdavis.edu/~matt/ From mansourmoufid at gmail.com Tue Jun 22 00:16:09 2010 From: mansourmoufid at gmail.com (Mansour Moufid) Date: Tue, 22 Jun 2010 00:16:09 -0400 Subject: [OTR-users] OTR file transfers (again) Message-ID: Hello list, I remember this topic being discussed previously but I've lost the thread. I wanted to share a simple idea: To send a file, encode it into plain text (e.g. base64) and send it over OTR as one big instant message. Then the OTR plugin on the other end could perhaps recognize some sort of marker (e.g. "THISISAFILE:"), and rather than display the data, save it somewhere. Seems this is how email attachments work, and OTR already handles lengthy messages, if I understand correctly. Just a thought. -- Mansour Moufid From gmaxwell at gmail.com Tue Jun 22 00:23:42 2010 From: gmaxwell at gmail.com (Gregory Maxwell) Date: Tue, 22 Jun 2010 00:23:42 -0400 Subject: [OTR-users] OTR file transfers (again) In-Reply-To: References: Message-ID: On Tue, Jun 22, 2010 at 12:16 AM, Mansour Moufid wrote: > Hello list, > > I remember this topic being discussed previously but I've lost the > thread. I wanted to share a simple idea: > > To send a file, encode it into plain text (e.g. base64) and send it > over OTR as one big instant message. Then the OTR plugin on the other > end could perhaps recognize some sort of marker (e.g. "THISISAFILE:"), > and rather than display the data, save it somewhere. > > Seems this is how email attachments work, and OTR already handles > lengthy messages, if I understand correctly. Just a thought. Various IM systems rate limit messages sent through the service. The limit is high enough to not normally impact conversations, but a file transfer isn't going to work too well. Normal IM file transfers run directly from client to client (with all the resulting nat traversal problems and difficulty using OTR transport) From paul at cypherpunks.ca Tue Jun 22 12:58:48 2010 From: paul at cypherpunks.ca (Paul Wouters) Date: Tue, 22 Jun 2010 12:58:48 -0400 (EDT) Subject: [OTR-users] OTR file transfers (again) In-Reply-To: References: Message-ID: On Tue, 22 Jun 2010, Gregory Maxwell wrote: >> To send a file, encode it into plain text (e.g. base64) and send it >> over OTR as one big instant message. Then the OTR plugin on the other >> end could perhaps recognize some sort of marker (e.g. "THISISAFILE:"), >> and rather than display the data, save it somewhere. >> >> Seems this is how email attachments work, and OTR already handles >> lengthy messages, if I understand correctly. Just a thought. > > Various IM systems rate limit messages sent through the service. The > limit is high enough to not normally impact conversations, but a file > transfer isn't going to work too well. > > Normal IM file transfers run directly from client to client (with all > the resulting nat traversal problems and difficulty using OTR > transport) There is a proof of concept for file transfers using OTR at https://gsoc.xelerance.com/projects/otr-symkey Code is available at https://gsoc.xelerance.com/projects/otr-symkey/repository and tar balls of libotr and pidgin-otr with this support are on ftp.xelerance.com It still requires work. If someone has time, talk to Ian about the code. Paul From lance at thehaverkamps.net Tue Jun 22 13:18:28 2010 From: lance at thehaverkamps.net (Lance W. Haverkamp) Date: Tue, 22 Jun 2010 11:18:28 -0600 Subject: [OTR-users] OTR file transfers (again) In-Reply-To: References: Message-ID: <4C20F064.1000300@TheHaverkamps.net> Forgive me for pointing-out the obvious but, "There's an app for that": http://gnupg.org Just in case we have new people on the list, the easy way to securely transfer (or transport) is to use a free Open PGP application like gnupg. I realize most of us already use it daily. -- Thanks! Lance W. Haverkamp Lance at TheHaverkamps.net Contact & encryption info: http://thehaverkamps.net/?Lance:Contact_Me http://facebook.com/LanceHaverkamp <>< <>< <>< *** This email has been stamped using Penny Post. Stamping email helps combat spam. Find out more about stamping your email at: http://pennypost.sourceforge.net From paul at cypherpunks.ca Tue Jun 22 23:55:18 2010 From: paul at cypherpunks.ca (Paul Wouters) Date: Tue, 22 Jun 2010 23:55:18 -0400 (EDT) Subject: [OTR-users] OTR file transfers (again) In-Reply-To: <4C20F064.1000300@TheHaverkamps.net> References: <4C20F064.1000300@TheHaverkamps.net> Message-ID: On Tue, 22 Jun 2010, Lance W. Haverkamp wrote: > Forgive me for pointing-out the obvious but, "There's an app for that": > http://gnupg.org > > Just in case we have new people on the list, the easy way to securely > transfer (or transport) is to use a free Open PGP application like > gnupg. I realize most of us already use it daily. OTR is meant for endusers, and is meant to be as transparent as possible for them. Gnupg is a disaster with its options nad key distribution issues for those without a CS degree. Paul From gmaxwell at gmail.com Wed Jun 23 00:21:07 2010 From: gmaxwell at gmail.com (Gregory Maxwell) Date: Wed, 23 Jun 2010 00:21:07 -0400 Subject: [OTR-users] OTR file transfers (again) In-Reply-To: References: <4C20F064.1000300@TheHaverkamps.net> Message-ID: On Tue, Jun 22, 2010 at 11:55 PM, Paul Wouters wrote: > On Tue, 22 Jun 2010, Lance W. Haverkamp wrote: > >> Forgive me for pointing-out the obvious but, "There's an app for that": >> http://gnupg.org >> >> Just in case we have new people on the list, the easy way to securely >> transfer (or transport) is to use a free Open PGP application like >> gnupg. ?I realize most of us already use it daily. > > OTR is meant for endusers, and is meant to be as transparent as possible for > them. Gnupg is a disaster with its options nad key distribution issues for > those without a CS degree. Absolutely. If all crypto is PGP then only crypto-fetishists will make use of encryption. I have only two regular contacts that I know could receive PGP encrypted messages from me and wouldn't be annoyed by it, and one of them is the woman I live with. ... and it's inconvenient enough that I don't use it even where I know I could. By contrast, in the past 20 days I've communicated many times with 28 people via IM. 100% of these conversations have used OTR. Only a few of my IM contacts don't use OTR. Few of these people are personally interested in cryptography, though many have macs. One of the funny things about privacy is that we tend to undervalue it greatly until it's too late. We also under value other people's privacy, which means that even though _I_ want crypto it's hard to choose to use it because the other people I talk to often don't care much. OTR delivers on the dream of cryptography being available to people in an impactful way that PGP never could. Now we just need to bring OTR's benefits to more people and cover other realtime communications modes (chats, file transfers)... expand them to provide some resistance to traffic analysis... lots of interesting and important work to do, hard work but work that provides a real benefit especially to those who will never realize the benefit that they are receiving.