[OTR-dev] Flaw in OTR Protocol (with workaround!)
Ian Goldberg
ian at cypherpunks.ca
Wed Aug 3 15:23:08 EDT 2005
On Wed, Aug 03, 2005 at 03:08:23PM -0400, Andrew Rodland wrote:
> I still think that it would be useful, to prevent the case where I restart my
> client (or go away for a day), implicitly resetting my session, while my
> buddy stays online, and later sends me an encrypted message I can't read. How
> about:
>
>
> 1. Alice sends "End Session" request and tears down her session. No further
> confirmation is needed on her end because she initiated the privacy drop.
> 2. Bob receives notification that Alice has ended the session, and is asked to
> confirm his awareness of this [1].
> 3. Any messages that Bob sends to Alice before confirming the end-of-session
> are discarded by OTR, and OTR sends a further reminder status message.
This is hardly different at all from what happens today: Bob is
informed that Alice has terminated her session, and that he should do
the same. Anything else Bob types before he either (1) terminates his
OTR session, or (2) starts a new one, results in an error message from
gaim.
This is fine; what we *don't* want is for Bob's client to
*automatically* terminate his session.
- Ian
More information about the OTR-dev
mailing list