[OTR-dev] Flaw in OTR Protocol (with workaround!)

Andrew Rodland arodland at entermail.net
Wed Aug 3 15:38:32 EDT 2005


On Wednesday 03 August 2005 03:23 pm, Ian Goldberg wrote:
> On Wed, Aug 03, 2005 at 03:08:23PM -0400, Andrew Rodland wrote:
> > I still think that it would be useful, to prevent the case where I
> > restart my client (or go away for a day), implicitly resetting my
> > session, while my buddy stays online, and later sends me an encrypted
> > message I can't read. How about:
> >
> >
> > 1. Alice sends "End Session" request and tears down her session. No
> > further confirmation is needed on her end because she initiated the
> > privacy drop. 2. Bob receives notification that Alice has ended the
> > session, and is asked to confirm his awareness of this [1].
> > 3. Any messages that Bob sends to Alice before confirming the
> > end-of-session are discarded by OTR, and OTR sends a further reminder
> > status message.
>
> This is hardly different at all from what happens today:  Bob is
> informed that Alice has terminated her session, and that he should do
> the same.  Anything else Bob types before he either (1) terminates his
> OTR session, or (2) starts a new one, results in an error message from
> gaim.
>
> This is fine; what we *don't* want is for Bob's client to
> *automatically* terminate his session.

Okay, you're right -- it's just that the option is pretty well hidden. I'd 
like to see it improved in certain UI-related ways, but now that I know what 
I'm talking about, it's no longer a protocol-change issue :)

Andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20050803/65ef5086/attachment.pgp>


More information about the OTR-dev mailing list