From npk.gangadhar at gmail.com Mon Sep 6 10:10:46 2010 From: npk.gangadhar at gmail.com (Gangadhar Nittala) Date: Mon, 6 Sep 2010 10:10:46 -0400 Subject: [OTR-users] pidgin-otr installer unable to find pidgin on Windows Message-ID: All, I have been using pidgin-otr for a while now. I just reinstalled my OS and so reinstalled pidgin too (pidgin 2.7.3). When I try to install pidgin-otr, the installer (this is Windows Vista) complains that it could not locate pidgin. When I installed pidgin-otr earlier I never faced this issue (I installed pidgin-otr on multiple Windows machines and never faced this problem). Can you please let me know what I can do to make the pidgin-otr installer see the pidgin install location ? I didn't know how to get the debug output from the pidgin-otr installer for me to attach to the post. OS: Windows Vista pidgin installation folder: c:\users\username\program files\pidgin I checked the OTR site to look for DLL files that I could download and register, but there seem to be none. Can you please help ? Thank you Gangadhar From ian at cypherpunks.ca Mon Sep 6 10:29:58 2010 From: ian at cypherpunks.ca (Ian Goldberg) Date: Mon, 6 Sep 2010 10:29:58 -0400 Subject: [OTR-users] pidgin-otr installer unable to find pidgin on Windows In-Reply-To: References: Message-ID: <20100906142958.GD13241@yoink.cs.uwaterloo.ca> On Mon, Sep 06, 2010 at 10:10:46AM -0400, Gangadhar Nittala wrote: > All, > > I have been using pidgin-otr for a while now. I just reinstalled my OS > and so reinstalled pidgin too (pidgin 2.7.3). When I try to install > pidgin-otr, the installer (this is Windows Vista) complains that it > could not locate pidgin. When I installed pidgin-otr earlier I never > faced this issue (I installed pidgin-otr on multiple Windows machines > and never faced this problem). > > Can you please let me know what I can do to make the pidgin-otr > installer see the pidgin install location ? I didn't know how to get > the debug output from the pidgin-otr installer for me to attach to the > post. > > OS: Windows Vista > pidgin installation folder: c:\users\username\program files\pidgin > > I checked the OTR site to look for DLL files that I could download and > register, but there seem to be none. Can you please help ? The installer seems to be looking for pidgin's installation directory by checking the Software\pidgin registry entry. Is that entry not present for you? - Ian From npk.gangadhar at gmail.com Mon Sep 6 11:08:48 2010 From: npk.gangadhar at gmail.com (Gangadhar Nittala) Date: Mon, 6 Sep 2010 11:08:48 -0400 Subject: [OTR-users] pidgin-otr installer unable to find pidgin on Windows In-Reply-To: <20100906142958.GD13241@yoink.cs.uwaterloo.ca> References: <20100906142958.GD13241@yoink.cs.uwaterloo.ca> Message-ID: Thank you for the reply Ian. I checked the registry and the pidgin key is available here HKEY_CURRENT_USER\Software\pidgin And the (Default) key is set to the location of the pidgin installation - C:\Users\username\program files\Pidgin The HKLM (which IIRC) was the location for the earlier installations doesn't seem to have the key HKEY_LOCAL_MACHINE\Software\pidgin - doesn't exist. I am not sure if this is something the pidgin folks changed recently. Should I create an entry in HKLM\Software\pidgin identical to the one in HKCU\Software\pidgin ? Would that be enough to install the plugin ? Thank you Gangadhar On Mon, Sep 6, 2010 at 10:29 AM, Ian Goldberg wrote: > On Mon, Sep 06, 2010 at 10:10:46AM -0400, Gangadhar Nittala wrote: >> All, >> >> I have been using pidgin-otr for a while now. I just reinstalled my OS >> and so reinstalled pidgin too (pidgin 2.7.3). When I try to install >> pidgin-otr, the installer (this is Windows Vista) complains that it >> could not locate pidgin. When I installed pidgin-otr earlier I never >> faced this issue (I installed pidgin-otr on multiple Windows machines >> and never faced this problem). >> >> Can you please let me know what I can do to make the pidgin-otr >> installer see the pidgin install location ? I didn't know how to get >> the debug output from the pidgin-otr installer for me to attach to the >> post. >> >> OS: Windows Vista >> pidgin installation folder: c:\users\username\program files\pidgin >> >> I checked the OTR site to look for DLL files that I could download and >> register, but there seem to be none. Can you please help ? > > The installer seems to be looking for pidgin's installation directory > by checking the Software\pidgin registry entry. ?Is that entry not > present for you? > > ? - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > From ian at cypherpunks.ca Mon Sep 6 11:48:34 2010 From: ian at cypherpunks.ca (Ian Goldberg) Date: Mon, 6 Sep 2010 11:48:34 -0400 Subject: [OTR-users] pidgin-otr installer unable to find pidgin on Windows In-Reply-To: References: <20100906142958.GD13241@yoink.cs.uwaterloo.ca> Message-ID: <20100906154834.GG13241@yoink.cs.uwaterloo.ca> On Mon, Sep 06, 2010 at 11:08:48AM -0400, Gangadhar Nittala wrote: > Thank you for the reply Ian. I checked the registry and the pidgin key > is available here > HKEY_CURRENT_USER\Software\pidgin > And the (Default) key is set to the location of the pidgin > installation - C:\Users\username\program files\Pidgin > > The HKLM (which IIRC) was the location for the earlier installations > doesn't seem to have the key > HKEY_LOCAL_MACHINE\Software\pidgin - doesn't exist. > > I am not sure if this is something the pidgin folks changed recently. > Should I create an entry in HKLM\Software\pidgin identical to the one > in HKCU\Software\pidgin ? Would that be enough to install the plugin ? The installer is looking in both HKLM and HKCU for Software\pidgin. So it looks like it should be finding the HKCU one. I don't know why it wouldn't be. But go ahead and try your idea and see if it works. If not, you may need to grab the zip file instead of the installer, and put the files in the right places yourself? http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.0.zip [ http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.0.zip.asc is the PGP signature for that file.] - Ian From npk.gangadhar at gmail.com Mon Sep 6 12:26:59 2010 From: npk.gangadhar at gmail.com (Gangadhar Nittala) Date: Mon, 6 Sep 2010 12:26:59 -0400 Subject: [OTR-users] pidgin-otr installer unable to find pidgin on Windows In-Reply-To: <20100906154834.GG13241@yoink.cs.uwaterloo.ca> References: <20100906142958.GD13241@yoink.cs.uwaterloo.ca> <20100906154834.GG13241@yoink.cs.uwaterloo.ca> Message-ID: I added the HKLM\Software\pidgin entry in the registry and the installer was able to find the pidgin location and the installation went fine. I was able to import my backed up .purple directory and the known fingerprints were recognized. Thank you for your help Ian. Also, I want to document the procedure for a non-installer version of the plugin. Please let me know if the following steps are what the installer does 1. Create a pidgin-otr folder to store the pidgin-otr specific files 2. Download the pidgin-otr-3.2.0 from here - http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.0.zip 3. Extract the contents of the folder into the pidgin-otr folder 4. Copy the pidgin-otr.dll to the plugins folder of the directory where pidgin was installed What I am not sure of though is 1. Are the locale entries required ? After the installation succeeded, in the pidgin-otr folder I don't see the locale folder 2. How does pidgin know to check the otr_* files that are present in the pidgin-otr installation directory ? I am not sure how pidgin uses them. Also, if you can please add a link on the home page to download the Windows binaries too (alongside the source tarball), it will be helpful. Thanks a lot for your help, Gangadhar On Mon, Sep 6, 2010 at 11:48 AM, Ian Goldberg wrote: > On Mon, Sep 06, 2010 at 11:08:48AM -0400, Gangadhar Nittala wrote: >> Thank you for the reply Ian. I checked the registry and the pidgin key >> is available here >> HKEY_CURRENT_USER\Software\pidgin >> And the (Default) key is set to the location of the pidgin >> installation - C:\Users\username\program files\Pidgin >> >> The HKLM (which IIRC) was the location for the earlier installations >> doesn't seem to have the key >> HKEY_LOCAL_MACHINE\Software\pidgin - doesn't exist. >> >> I am not sure if this is something the pidgin folks changed recently. >> Should I create an entry in HKLM\Software\pidgin identical to the one >> in HKCU\Software\pidgin ? Would that be enough to install the plugin ? > > The installer is looking in both HKLM and HKCU for Software\pidgin. > So it looks like it should be finding the HKCU one. ?I don't know why it > wouldn't be. ?But go ahead and try your idea and see if it works. > > If not, you may need to grab the zip file instead of the installer, and > put the files in the right places yourself? > > http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.0.zip > > [ http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.0.zip.asc > is the PGP signature for that file.] > > ? - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > From mansourmoufid at gmail.com Mon Sep 6 22:32:20 2010 From: mansourmoufid at gmail.com (Mansour Moufid) Date: Mon, 6 Sep 2010 22:32:20 -0400 Subject: [OTR-users] (mp)OTR beyond IM? Message-ID: Hello list, Has anyone else thought about applying mpOTR to microblogging services like StatusNet or Twitter? Some people like to have two accounts on Twitter, for example: one public, one "private". If one could piggyback on existing social media using mpOTR (and maybe ideas from TextSecure), there could be actual privacy in those services. Message 'access control' (e.g. "A,B,C can read this message but not D") could be emulated by thinking of different, perhaps overlapping, social circles as participants in ongoing "conversations"... I'm not familiar with mpOTR, but given the demand for privacy in social media (Diaspora), it might be a promising idea. What does everyone think, would it be possible? -- Mansour Moufid From ian at cypherpunks.ca Tue Sep 7 08:05:03 2010 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 7 Sep 2010 08:05:03 -0400 Subject: [OTR-users] (mp)OTR beyond IM? In-Reply-To: References: Message-ID: <20100907120503.GA25749@thunk.cs.uwaterloo.ca> On Mon, Sep 06, 2010 at 10:32:20PM -0400, Mansour Moufid wrote: > Hello list, > > Has anyone else thought about applying mpOTR to microblogging services > like StatusNet or Twitter? > > Some people like to have two accounts on Twitter, for example: one > public, one "private". If one could piggyback on existing social media > using mpOTR (and maybe ideas from TextSecure), there could be actual > privacy in those services. Message 'access control' (e.g. "A,B,C can > read this message but not D") could be emulated by thinking of > different, perhaps overlapping, social circles as participants in > ongoing "conversations"... > > I'm not familiar with mpOTR, but given the demand for privacy in > social media (Diaspora), it might be a promising idea. What does > everyone think, would it be possible? There are a couple of projects on putting access control on things like Facebook wall posts, which is similar. (FlyByNight, FaceCloak, etc.) I think the UI for controlling who gets to see what would be the critical part here. I seem to recall that that the project presented at HotPETs 2009 [1] had some kind of slick way to learn groups/filters. - Ian [1] http://www.cosic.esat.kuleuven.be/publications/article-1240.pdf From casmls at gmail.com Tue Sep 7 10:24:03 2010 From: casmls at gmail.com (Christoph A.) Date: Tue, 07 Sep 2010 16:24:03 +0200 Subject: [OTR-users] mpOTR Scalability Message-ID: <4C864B03.4040708@gmail.com> Hi, do you have some raw figures how well mpOTR will scale? As the setup phase contains steps that need to be done in a pairwise fashion I'm focusing on the scalability of this phase and the DSKE(). Given n participants the total amount of AuthUser() executions for all users together is n*(n-1)/2 (Depending on your view and definition of AutUser() "/2" is discussable.) An important property is that AuthUser() is non-blocking and Alice can execute multiple instances of them in parallel to reduce total amount of time spent for DSKE(). Alice doesn't need to wait until AuthUser(Bob) is finished before she can start AuthUser(Charlie). Did you make some raw estimates (or requirements) when designing mpOTR? For example something like: "The Setup-Phase in a room with 10 participants will take ~22 seconds, given recent notebooks and an average network latency of 60 miliseconds". The time spent for the generation of the ephemeral signing key might also be a considerable part of the setup-phase. It would be interesting to hear from you (mpOTR designers). kind regards, Christoph -- example for 10 participants: 10*9/2 = 45 AuthUser() instances AuthUser() generates 4 packets (without denAKE()) 45x4=180 packets in total 36packets per participant (18 sending + 18 receiving) ...but I don't know the size of such packets. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature URL: From mansourmoufid at gmail.com Tue Sep 7 11:13:27 2010 From: mansourmoufid at gmail.com (Mansour Moufid) Date: Tue, 7 Sep 2010 11:13:27 -0400 Subject: [OTR-users] (mp)OTR beyond IM? In-Reply-To: <20100907120503.GA25749@thunk.cs.uwaterloo.ca> References: <20100907120503.GA25749@thunk.cs.uwaterloo.ca> Message-ID: On Tue, Sep 7, 2010 at 8:05 AM, Ian Goldberg wrote: > There are a couple of projects on putting access control on things like > Facebook wall posts, which is similar. ?(FlyByNight, FaceCloak, etc.) ?I > think the UI for controlling who gets to see what would be the critical > part here. ?I seem to recall that that the project presented at HotPETs > 2009 [1] had some kind of slick way to learn groups/filters. > > ? - Ian > > [1] http://www.cosic.esat.kuleuven.be/publications/article-1240.pdf That does sound like an interesting problem. Thanks very much for the information, I look forward to reading about it all. -- Mansour Moufid From ian at cypherpunks.ca Wed Sep 8 08:08:09 2010 From: ian at cypherpunks.ca (Ian Goldberg) Date: Wed, 8 Sep 2010 08:08:09 -0400 Subject: [OTR-users] mpOTR Scalability In-Reply-To: <4C864B03.4040708@gmail.com> References: <4C864B03.4040708@gmail.com> Message-ID: <20100908120809.GA6389@thunk.cs.uwaterloo.ca> On Tue, Sep 07, 2010 at 04:24:03PM +0200, Christoph A. wrote: > Hi, > > do you have some raw figures how well mpOTR will scale? > > As the setup phase contains steps that need to be done in a pairwise > fashion I'm focusing on the scalability of this phase and the DSKE(). > > Given n participants the total amount of AuthUser() executions for all > users together is n*(n-1)/2 > (Depending on your view and definition of AutUser() "/2" is discussable.) > > An important property is that AuthUser() is non-blocking and Alice can > execute multiple instances of them in parallel to reduce total amount of > time spent for DSKE(). > > Alice doesn't need to wait until AuthUser(Bob) is finished before she > can start AuthUser(Charlie). > > Did you make some raw estimates (or requirements) when designing mpOTR? > > For example something like: "The Setup-Phase in a room with 10 > participants will take ~22 seconds, given recent notebooks and an > average network latency of 60 miliseconds". No, the design didn't have requirements like that. > The time spent for the generation of the ephemeral signing key might > also be a considerable part of the setup-phase. I don't know why this would necessarily be. For any DL-based signature scheme, for example, key generation is one modexp. (Current OTR uses DSS, which has this property.) Only for RSA-based schemes is key generation slow. > It would be interesting to hear from you (mpOTR designers). > > kind regards, > Christoph > -- > example for 10 participants: > 10*9/2 = 45 AuthUser() instances > AuthUser() generates 4 packets (without denAKE()) > 45x4=180 packets in total > 36packets per participant (18 sending + 18 receiving) > ...but I don't know the size of such packets. In practice, the size of the packets will be less of a problem than the rate-limiting that some IM networks impose. On those networks, one will have to be very careful about how fast the messages are sent. Also important is the number of rounds of communication: being able to blast out 18 messages and wait for their responses is different from exchanging 18 messages and responses one at a time. - Ian From casmls at gmail.com Thu Sep 9 13:42:51 2010 From: casmls at gmail.com (Christoph A.) Date: Thu, 09 Sep 2010 19:42:51 +0200 Subject: [OTR-users] mpOTR Scalability In-Reply-To: <20100908120809.GA6389@thunk.cs.uwaterloo.ca> References: <4C864B03.4040708@gmail.com> <20100908120809.GA6389@thunk.cs.uwaterloo.ca> Message-ID: <4C891C9B.1030108@gmail.com> On 09/08/2010 02:08 PM, Ian Goldberg wrote: >> Did you make some raw estimates (or requirements) when designing mpOTR? >> > >> > For example something like: "The Setup-Phase in a room with 10 >> > participants will take ~22 seconds, given recent notebooks and an >> > average network latency of 60 miliseconds". > No, the design didn't have requirements like that. > >> > The time spent for the generation of the ephemeral signing key might >> > also be a considerable part of the setup-phase. > I don't know why this would necessarily be. For any DL-based signature > scheme, for example, key generation is one modexp. (Current OTR uses > DSS, which has this property.) Only for RSA-based schemes is key > generation slow. > >> > It would be interesting to hear from you (mpOTR designers). >> > >> > kind regards, >> > Christoph >> > -- >> > example for 10 participants: >> > 10*9/2 = 45 AuthUser() instances >> > AuthUser() generates 4 packets (without denAKE()) >> > 45x4=180 packets in total >> > 36packets per participant (18 sending + 18 receiving) >> > ...but I don't know the size of such packets. > In practice, the size of the packets will be less of a problem than the > rate-limiting that some IM networks impose. On those networks, one will > have to be very careful about how fast the messages are sent. > > Also important is the number of rounds of communication: being able to > blast out 18 messages and wait for their responses is different from > exchanging 18 messages and responses one at a time. Thank you for your input! Christoph -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Fri Sep 10 03:50:32 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 10 Sep 2010 03:50:32 -0400 Subject: [OTR-users] mpOTR: replay attacks from insiders In-Reply-To: <4C7BE14F.5040005@ucdavis.edu> References: <4C7AC3EC.6000202@gmail.com> <4C7AD98B.1050503@gmail.com> <20100829212358.mf6jn9ckw048gsgk@mathgrad.net> <4C7BD2DF.2010004@gmail.com> <4C7BE14F.5040005@ucdavis.edu> Message-ID: <4C89E348.602@fifthhorseman.net> On 08/30/2010 12:50 PM, Matthew Van Gundy wrote: > I think posting questions to otr-users or, perhaps, otr-dev is useful > because it gives others the benefit of learning from previous > discussions. If the regular users of either list feel like the > information is off-topic, perhaps we can set up another public list > specifically for mpOTR discussion. If my opinion counts for anything, i'd very much prefer to keep these messages on-list. I appreciate following the discussion, even if i haven't been able to contribute anything as of yet. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From l.dobrev at gmail.com Mon Sep 13 07:00:28 2010 From: l.dobrev at gmail.com (Lachezar Dobrev) Date: Mon, 13 Sep 2010 14:00:28 +0300 Subject: [OTR-users] Pidgin Plugin should ignore XMPP Resource for verification Message-ID: When remembering contacts' fingerprints Pidgin OTR Plug-in should ignore the Resource part of the account, since it can be changed without any significant impact. Currently when changing resource on the same account I have to verify fingerprints for my contacts again, even though they have the same fingerprint and account, which seems extraneous, and frankly raises a false-positive alarm for eavesdropping. Please excuse me if this has been discussed, I was unable to find any reference to this ?issue?. From bdm at fenrir.org.uk Mon Sep 13 07:43:34 2010 From: bdm at fenrir.org.uk (Brian Morrison) Date: Mon, 13 Sep 2010 12:43:34 +0100 Subject: [OTR-users] Pidgin Plugin should ignore XMPP Resource for verification In-Reply-To: References: Message-ID: <20100913124334.00004fd8@surtees.fenrir.org.uk> On Mon, 13 Sep 2010 14:00:28 +0300 Lachezar Dobrev wrote: > Currently when changing resource on the same account I have to > verify fingerprints for my contacts again, even though they have the > same fingerprint and account, which seems extraneous, and frankly > raises a false-positive alarm for eavesdropping. Well, it draws your attention to the change, and perhaps makes you question whether it's genuinely the same person you're talking to.... -- Brian Morrison From ian at cypherpunks.ca Mon Sep 13 21:32:19 2010 From: ian at cypherpunks.ca (Ian Goldberg) Date: Mon, 13 Sep 2010 21:32:19 -0400 Subject: [OTR-users] Pidgin Plugin should ignore XMPP Resource for verification In-Reply-To: <20100913124334.00004fd8@surtees.fenrir.org.uk> References: <20100913124334.00004fd8@surtees.fenrir.org.uk> Message-ID: <20100914013219.GP31490@yoink.cs.uwaterloo.ca> On Mon, Sep 13, 2010 at 12:43:34PM +0100, Brian Morrison wrote: > On Mon, 13 Sep 2010 14:00:28 +0300 > Lachezar Dobrev wrote: > > > Currently when changing resource on the same account I have to > > verify fingerprints for my contacts again, even though they have the > > same fingerprint and account, which seems extraneous, and frankly > > raises a false-positive alarm for eavesdropping. > > Well, it draws your attention to the change, and perhaps makes you > question whether it's genuinely the same person you're talking to.... I would expect different resources to have different keys as well, unless they've manually copied around their private key file? - Ian From mhkhung at gmail.com Mon Sep 13 21:59:06 2010 From: mhkhung at gmail.com (Michael Hung) Date: Mon, 13 Sep 2010 21:59:06 -0400 Subject: [OTR-users] Packet order Message-ID: Is the order of packet arrival important? When implemented in a mobile environment, say otr-over-sms, packets may arrive (slightly) out-of-order or even lost. Does or how does the otr protocol handle it? If the otr protocol cannot handle out-of-order or lost packets, can it be modified to handle these scenarios? (Obviously we can put a reliable layer on top of plaintext sms too, but it's a lot of work not normally needed...) Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From l.dobrev at gmail.com Tue Sep 14 02:46:46 2010 From: l.dobrev at gmail.com (Lachezar Dobrev) Date: Tue, 14 Sep 2010 09:46:46 +0300 Subject: [OTR-users] Pidgin Plugin should ignore XMPP Resource for verification In-Reply-To: <20100914013219.GP31490@yoink.cs.uwaterloo.ca> References: <20100913124334.00004fd8@surtees.fenrir.org.uk> <20100914013219.GP31490@yoink.cs.uwaterloo.ca> Message-ID: While this MAY be true if the actual messenger instance is physically different, that may not be the case always. Consider my case, where I have a laptop that I move with, and depending on whether I am home, or at work the resource is changed accordingly. However you too are missing my point. What I was referring is to the verification status of OTHER people's keys, that SHOULD NOT take MY resource into consideration. 2010/9/14 Ian Goldberg : > On Mon, Sep 13, 2010 at 12:43:34PM +0100, Brian Morrison wrote: >> On Mon, 13 Sep 2010 14:00:28 +0300 >> Lachezar Dobrev wrote: >> >> > ? Currently when changing resource on the same account I have to >> > verify fingerprints for my contacts again, even though they have the >> > same fingerprint and account, which seems extraneous, and frankly >> > raises a false-positive alarm for eavesdropping. >> >> Well, it draws your attention to the change, and perhaps makes you >> question whether it's genuinely the same person you're talking to.... > > I would expect different resources to have different keys as well, > unless they've manually copied around their private key file? > > ? - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > From ian at cypherpunks.ca Tue Sep 14 21:46:00 2010 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 14 Sep 2010 21:46:00 -0400 Subject: [OTR-users] Pidgin Plugin should ignore XMPP Resource for verification In-Reply-To: References: <20100913124334.00004fd8@surtees.fenrir.org.uk> <20100914013219.GP31490@yoink.cs.uwaterloo.ca> Message-ID: <20100915014600.GA31490@yoink.cs.uwaterloo.ca> On Tue, Sep 14, 2010 at 09:46:46AM +0300, Lachezar Dobrev wrote: > While this MAY be true if the actual messenger instance is > physically different, that may not be the case always. Consider my > case, where I have a laptop that I move with, and depending on whether > I am home, or at work the resource is changed accordingly. > > However you too are missing my point. > > What I was referring is to the verification status of OTHER people's > keys, that SHOULD NOT take MY resource into consideration. Ah, I see what you're saying. So you have multiple accounts in your pidgin, with the same username but different resources? Yes, I guess it would behave the way you say, and indeed, it probably shouldn't. One problem would be that the account name is "user at hostname/resource" for XMPP (prpl-jabber), and there would have to be code that "knew" that for the special case of prpl-jabber, this should be canonicalized to "user at hostname". It's been a long time since I looked at the pidgin internals. There may already be canonicalization functions for every prpl; I don't remember. - Ian From ian at cypherpunks.ca Tue Sep 14 21:57:21 2010 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 14 Sep 2010 21:57:21 -0400 Subject: [OTR-users] Packet order In-Reply-To: References: Message-ID: <20100915015721.GB31490@yoink.cs.uwaterloo.ca> On Mon, Sep 13, 2010 at 09:59:06PM -0400, Michael Hung wrote: > Is the order of packet arrival important? When implemented in a mobile > environment, say otr-over-sms, packets may arrive (slightly) out-of-order or > even lost. > Does or how does the otr protocol handle it? > > If the otr protocol cannot handle out-of-order or lost packets, can it be > modified to handle these scenarios? > > (Obviously we can put a reliable layer on top of plaintext sms too, but it's > a lot of work not normally needed...) OTR strongly relies on the underlying IM protocol delivering messages in order (though it is allowed to drop messages). When we designed it, we figured that an IM protocol that reordered messages would make for really bizarre conversations: A: Are you going to the game? B: Yes A: How about the party? B: No If B's messages might be reordered, this would be crazy. That said, it turns out some IM networks *do* reorder messages. (Second Life is one example.) OTR treats out-of-order packets as replays and drops the messages. I don't know that I'd *want* OTR to pass messages to the application layer out of order, though, as above. I'd prefer it ordered them correctly first, but that can't really happen if messages may be lost. I guess what I really want is for IM networks to not reorder packets. ;-) - Ian From paul at darkrain42.org Tue Sep 14 22:03:03 2010 From: paul at darkrain42.org (Paul Aurich) Date: Tue, 14 Sep 2010 19:03:03 -0700 Subject: [OTR-users] Pidgin Plugin should ignore XMPP Resource for verification In-Reply-To: <20100915014600.GA31490@yoink.cs.uwaterloo.ca> References: <20100913124334.00004fd8@surtees.fenrir.org.uk> <20100914013219.GP31490@yoink.cs.uwaterloo.ca> <20100915014600.GA31490@yoink.cs.uwaterloo.ca> Message-ID: <4C902957.4070909@darkrain42.org> On 2010-09-14 18:46, Ian Goldberg wrote: > One problem would be that the account name is "user at hostname/resource" > for XMPP (prpl-jabber), and there would have to be code that "knew" that > for the special case of prpl-jabber, this should be canonicalized to > "user at hostname". It's been a long time since I looked at the pidgin > internals. There may already be canonicalization functions for every > prpl; I don't remember. purple_normalize() will do this -- internally, it calls a per-prpl normalization function; the one for XMPP generates a bare JID. ~Paul -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From otr at brighterplanet.com Tue Sep 21 15:47:32 2010 From: otr at brighterplanet.com (Andy Rossmeissl) Date: Tue, 21 Sep 2010 12:47:32 -0700 Subject: [OTR-users] "Your message was not sent" Message-ID: <4C990BD4.3010701@brighterplanet.com> Hello, Please forgive me if this has already been discussed on the list. Let's say I'm having a private conversation with a friend via Pidgin. He quits his IM client. I receive a message saying that he "has ended his/her private conversation with you; you should do the same." Later, he restarts his IM client and I attempt to send him a message. My message is discarded and in it's place I find an error message: "Your message was not sent. Either end your private conversation, or restart it." At this point I have to grab my mouse, head up to the OTR menu, restart the private conversation, recall my unsent message (luckily Pidgin remembers it), and re-send. This happens to me I don't know how many times per day. A very large number of Adium users have reported the issue at [1], and a bug was opened with Pidgin [2], but the buck tossed immediately to OTR. The problem is that the conversation state is stuck in limbo. Either of these alternatives is preferable: a) When my friend quits his IM client, thereby ending our private conversation, my client should automatically end it on my end as well, or b) when I send my message after he has restarted his client, my client should recognize the privacy-state mismatch, attempt to restart the private conversation, and send the message only at that point. I recognize the risk in option (a): Having missed the notice about the private conversation ending, I could inadvertently send a sensitive message to my friend in cleartext. I don't see the risk in option (b). Of all the times you folks have received this error, after how many of them did you *not* fumble around for the "restart private conversation" command? Unfortunately I'm not a C developer, so I regret not being able to contribute a patch. But I would certainly contribute to a bounty for a fix to this. Best, Andy [1] http://trac.adium.im/ticket/6742 [2] http://developer.pidgin.im/ticket/6431 From j-n at john-nicholas.net Tue Sep 21 16:50:56 2010 From: j-n at john-nicholas.net (John-Nicholas Furst) Date: Tue, 21 Sep 2010 16:50:56 -0400 Subject: [OTR-users] "Your message was not sent" In-Reply-To: <4C990BD4.3010701@brighterplanet.com> References: <4C990BD4.3010701@brighterplanet.com> Message-ID: Option B does sound like the best bet, but to confirm my understanding of the OTR protocol, shouldn't sending the message after the other end quits still be encrypted on your end such that if anyone were to intercept either in between or on his end it would not be in plain text but in encrypted un-intelligible text? John On Tue, Sep 21, 2010 at 3:47 PM, Andy Rossmeissl wrote: > Hello, > > Please forgive me if this has already been discussed on the list. > > Let's say I'm having a private conversation with a friend via Pidgin. He > quits his IM client. I receive a message saying that he "has ended his/her > private conversation with you; you should do the same." Later, he restarts > his IM client and I attempt to send him a message. My message is discarded > and in it's place I find an error message: "Your message was not sent. > Either end your private conversation, or restart it." At this point I have > to grab my mouse, head up to the OTR menu, restart the private conversation, > recall my unsent message (luckily Pidgin remembers it), and re-send. > > This happens to me I don't know how many times per day. A very large number > of Adium users have reported the issue at [1], and a bug was opened with > Pidgin [2], but the buck tossed immediately to OTR. > > The problem is that the conversation state is stuck in limbo. Either of > these alternatives is preferable: > > a) When my friend quits his IM client, thereby ending our private > conversation, my client should automatically end it on my end as well, or > > b) when I send my message after he has restarted his client, my client > should recognize the privacy-state mismatch, attempt to restart the private > conversation, and send the message only at that point. > > I recognize the risk in option (a): Having missed the notice about the > private conversation ending, I could inadvertently send a sensitive message > to my friend in cleartext. > > I don't see the risk in option (b). Of all the times you folks have > received this error, after how many of them did you *not* fumble around for > the "restart private conversation" command? > > Unfortunately I'm not a C developer, so I regret not being able to > contribute a patch. But I would certainly contribute to a bounty for a fix > to this. > > Best, > Andy > > [1] http://trac.adium.im/ticket/6742 > [2] http://developer.pidgin.im/ticket/6431 > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From webd0012 at fastmail.fm Sun Sep 26 03:20:10 2010 From: webd0012 at fastmail.fm (webd0012) Date: Sun, 26 Sep 2010 03:20:10 -0400 Subject: [OTR-users] Pidgin OTR on 64-Bit Windows 7? Message-ID: <1285485610.15401.1396911721@webmail.messagingengine.com> I hope I'm posting this question in the correct place. Does Pidgin Off the Record run on 64-Bit Windows 7? I'm helping someone set it up on their computer. I tried downloading the Win32 exe file and it says it can't find Pidgin, though Pidgin is installed. I wasn't able to find an answer on the site or in Google. -- webd0012 webd0012 at fastmail.fm -- http://www.fastmail.fm - Accessible with your email software or over the web From gilles at gravier.org Sun Sep 26 04:38:19 2010 From: gilles at gravier.org (Gilles Gravier) Date: Sun, 26 Sep 2010 10:38:19 +0200 Subject: [OTR-users] Pidgin OTR on 64-Bit Windows 7? In-Reply-To: <1285485610.15401.1396911721@webmail.messagingengine.com> References: <1285485610.15401.1396911721@webmail.messagingengine.com> Message-ID: <4C9F067B.8010309@Gravier.org> Runs fine on my Windows 7 in 64 bit mode. Gilles. On 26/09/2010 09:20, webd0012 wrote: > I hope I'm posting this question in the correct place. Does Pidgin Off > the Record run on 64-Bit Windows 7? I'm helping someone set it up on > their computer. I tried downloading the Win32 exe file and it says it > can't find Pidgin, though Pidgin is installed. I wasn't able to find an > answer on the site or in Google.