From reagle at cepr.net Wed Nov 9 10:47:11 2011 From: reagle at cepr.net (Greg Reagle) Date: Wed, 09 Nov 2011 10:47:11 -0500 Subject: [OTR-users] protecting the key Message-ID: <4EBAA07F.7050306@cepr.net> Greetings and salutations. I have already searched http://www.cypherpunks.ca/otr/otr-codecon.pdf and http://www.cypherpunks.ca/otr/index.php#faqs for the answer to my questions. If they are answered in some other document, please point me to it, and excuse me. I am using: $ COLUMNS=100 dpkg -l "*pidgin*" "*purple*" ||/ Name Version +++-===================-===================- ii libpurple-bin 1:2.6.6-1ubuntu4.3 ii libpurple0 1:2.6.6-1ubuntu4.3 ii pidgin 1:2.6.6-1ubuntu4.3 ii pidgin-data 1:2.6.6-1ubuntu4.3 ii pidgin-libnotify 0.14-1ubuntu14 ii pidgin-otr 3.2.0-5 My private key appears to be stored on my filesystem in~/.purple/otr.private_key, unencrypted. (1) Is my private key, in fact, stored unencrypted? (2) If yes, I suppose this is a major security weakness. What are the security ramifications of this? (3) Are there any plans to remedy? Thanks! -- Greg Reagle System Administrator Center for Economic and Policy Research reagle at cepr.net http://www.cepr.net/ From katie at critpath.org Wed Nov 9 11:38:27 2011 From: katie at critpath.org (Kate Krauss) Date: Wed, 9 Nov 2011 11:38:27 -0500 Subject: [OTR-users] protecting the key In-Reply-To: <4EBAA07F.7050306@cepr.net> References: <4EBAA07F.7050306@cepr.net> Message-ID: <2F540DC1-9B30-4E37-B2F8-7C838E449F2D@critpath.org> One more thought--I think that this list is searchable on Google, which isn't the best situation for people seeking internet security. I found posts from me when I googled myself last year. They came up on a person finder web site. On Nov 9, 2011, at 10:47 AM, Greg Reagle wrote: > Greetings and salutations. > > I have already searched http://www.cypherpunks.ca/otr/otr-codecon.pdf and http://www.cypherpunks.ca/otr/index.php#faqs for the answer to my questions. If they are answered in some other document, please point me to it, and excuse me. > > I am using: > $ COLUMNS=100 dpkg -l "*pidgin*" "*purple*" > ||/ Name Version > +++-===================-===================- > ii libpurple-bin 1:2.6.6-1ubuntu4.3 > ii libpurple0 1:2.6.6-1ubuntu4.3 > ii pidgin 1:2.6.6-1ubuntu4.3 > ii pidgin-data 1:2.6.6-1ubuntu4.3 > ii pidgin-libnotify 0.14-1ubuntu14 > ii pidgin-otr 3.2.0-5 > > My private key appears to be stored on my filesystem in~/.purple/otr.private_key, unencrypted. > > (1) Is my private key, in fact, stored unencrypted? > (2) If yes, I suppose this is a major security weakness. What are the security ramifications of this? > (3) Are there any plans to remedy? > > Thanks! > > -- > Greg Reagle > System Administrator > Center for Economic and Policy Research > reagle at cepr.net > http://www.cepr.net/ > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users From stpeter at stpeter.im Wed Nov 9 11:46:55 2011 From: stpeter at stpeter.im (Peter Saint-Andre) Date: Wed, 09 Nov 2011 09:46:55 -0700 Subject: [OTR-users] protecting the key In-Reply-To: <2F540DC1-9B30-4E37-B2F8-7C838E449F2D@critpath.org> References: <4EBAA07F.7050306@cepr.net> <2F540DC1-9B30-4E37-B2F8-7C838E449F2D@critpath.org> Message-ID: <4EBAAE7F.80305@stpeter.im> On 11/9/11 9:38 AM, Kate Krauss wrote: > One more thought--I think that this list is searchable on Google, > which isn't the best situation for people seeking internet security. > I found posts from me when I googled myself last year. They came up > on a person finder web site. Developing security technologies in private is never a good idea. Transparency encourages continuous improvement. Peter -- Peter Saint-Andre https://stpeter.im/ From katie at critpath.org Wed Nov 9 11:59:42 2011 From: katie at critpath.org (Kate Krauss) Date: Wed, 9 Nov 2011 11:59:42 -0500 Subject: [OTR-users] protecting the key In-Reply-To: <4EBAAE7F.80305@stpeter.im> References: <4EBAA07F.7050306@cepr.net> <2F540DC1-9B30-4E37-B2F8-7C838E449F2D@critpath.org> <4EBAAE7F.80305@stpeter.im> Message-ID: <86D73CC2-5315-46AF-9337-C55846B76C9C@critpath.org> Wish I had known that the list was searchable on Google when I joined it, and would not direct anyone with a particular need of online security to this list for that reason. On Nov 9, 2011, at 11:46 AM, Peter Saint-Andre wrote: > On 11/9/11 9:38 AM, Kate Krauss wrote: > >> One more thought--I think that this list is searchable on Google, >> which isn't the best situation for people seeking internet security. >> I found posts from me when I googled myself last year. They came up >> on a person finder web site. > > Developing security technologies in private is never a good idea. Transparency encourages continuous improvement. > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/ > > From dap56 at cornell.edu Wed Nov 9 12:51:17 2011 From: dap56 at cornell.edu (Daniel Perelman) Date: Wed, 9 Nov 2011 09:51:17 -0800 Subject: [OTR-users] protecting the key In-Reply-To: <4EBAA07F.7050306@cepr.net> References: <4EBAA07F.7050306@cepr.net> Message-ID: (1) Correct. The OTR plugin does not ask for a passphrase or anything on startup, so anyone who has your .purple folder can impersonate you. Then again, if you have password-saving enabled, then the .purple folder also contains the passwords for your IM account unencrypted. If you are worried about someone else accessing that information, you should encrypt your home directory (Ubuntu offers to do so on install, you can probably look up how to do so later). (2) OTR guarantees "perfect forward secrecy" so having your secret keys does not allow an attacker to read your past conversations; it only allows them to impersonate you in the future and therefore theoretically intercept future conversations (actually intercepting IMs would require a powerful attacker, especially given that XMPP and AIM usually go over SSL). Naturally, if you discover that someone has managed to access your .purple folder, you should change all of your IM passwords and OTR private keys and notify anyone you use OTR with to invalidate your old keys and verify your new ones. (3) I am not an OTR dev, but I believe the issues you discuss are outside of the scope of the OTR software. - Daniel On Wed, Nov 9, 2011 at 07:47, Greg Reagle wrote: > Greetings and salutations. > > I have already searched http://www.cypherpunks.ca/otr/otr-codecon.pdf and > http://www.cypherpunks.ca/otr/index.php#faqs for the answer to my questions. > ?If they are answered in some other document, please point me to it, and > excuse me. > > I am using: > $ COLUMNS=100 dpkg -l "*pidgin*" "*purple*" > ||/ Name ? ? ? ? ? ? ? ?Version > +++-===================-===================- > ii ?libpurple-bin ? ? ? 1:2.6.6-1ubuntu4.3 > ii ?libpurple0 ? ? ? ? ?1:2.6.6-1ubuntu4.3 > ii ?pidgin ? ? ? ? ? ? ?1:2.6.6-1ubuntu4.3 > ii ?pidgin-data ? ? ? ? 1:2.6.6-1ubuntu4.3 > ii ?pidgin-libnotify ? ?0.14-1ubuntu14 > ii ?pidgin-otr ? ? ? ? ?3.2.0-5 > > My private key appears to be stored on my filesystem > in~/.purple/otr.private_key, unencrypted. > > (1) Is my private key, in fact, stored unencrypted? > (2) If yes, I suppose this is a major security weakness. ?What are the > security ramifications of this? > (3) Are there any plans to remedy? > > Thanks! > > -- > Greg Reagle > System Administrator > Center for Economic and Policy Research > reagle at cepr.net > http://www.cepr.net/ > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > From reagle at cepr.net Wed Nov 9 13:10:50 2011 From: reagle at cepr.net (Greg Reagle) Date: Wed, 09 Nov 2011 13:10:50 -0500 Subject: [OTR-users] protecting the key In-Reply-To: References: <4EBAA07F.7050306@cepr.net> Message-ID: <4EBAC22A.4000304@cepr.net> Great answers! Can this be added to the FAQs on the website? I would suggest combining them into one entry with three sub-questions. On 11/09/2011 12:51 PM, Daniel Perelman wrote: > (1) Correct. The OTR plugin does not ask for a passphrase or anything > on startup, so anyone who has your .purple folder can impersonate you. > Then again, if you have password-saving enabled, then the .purple > folder also contains the passwords for your IM account unencrypted. If > you are worried about someone else accessing that information, you > should encrypt your home directory (Ubuntu offers to do so on install, > you can probably look up how to do so later). > > (2) OTR guarantees "perfect forward secrecy" so having your secret > keys does not allow an attacker to read your past conversations; it > only allows them to impersonate you in the future and therefore > theoretically intercept future conversations (actually intercepting > IMs would require a powerful attacker, especially given that XMPP and > AIM usually go over SSL). Naturally, if you discover that someone has > managed to access your .purple folder, you should change all of your > IM passwords and OTR private keys and notify anyone you use OTR with > to invalidate your old keys and verify your new ones. > > (3) I am not an OTR dev, but I believe the issues you discuss are > outside of the scope of the OTR software. > > - Daniel > > > On Wed, Nov 9, 2011 at 07:47, Greg Reagle wrote: >> Greetings and salutations. >> >> I have already searched http://www.cypherpunks.ca/otr/otr-codecon.pdf and >> http://www.cypherpunks.ca/otr/index.php#faqs for the answer to my questions. >> If they are answered in some other document, please point me to it, and >> excuse me. >> >> I am using: >> $ COLUMNS=100 dpkg -l "*pidgin*" "*purple*" >> ||/ Name Version >> +++-===================-===================- >> ii libpurple-bin 1:2.6.6-1ubuntu4.3 >> ii libpurple0 1:2.6.6-1ubuntu4.3 >> ii pidgin 1:2.6.6-1ubuntu4.3 >> ii pidgin-data 1:2.6.6-1ubuntu4.3 >> ii pidgin-libnotify 0.14-1ubuntu14 >> ii pidgin-otr 3.2.0-5 >> >> My private key appears to be stored on my filesystem >> in~/.purple/otr.private_key, unencrypted. >> >> (1) Is my private key, in fact, stored unencrypted? >> (2) If yes, I suppose this is a major security weakness. What are the >> security ramifications of this? >> (3) Are there any plans to remedy? >> >> Thanks! >> >> -- >> Greg Reagle >> System Administrator >> Center for Economic and Policy Research >> reagle at cepr.net >> http://www.cepr.net/ >> _______________________________________________ >> OTR-users mailing list >> OTR-users at lists.cypherpunks.ca >> http://lists.cypherpunks.ca/mailman/listinfo/otr-users >> -- Greg Reagle System Administrator Center for Economic and Policy Research reagle at cepr.net http://www.cepr.net/