[OTR-dev] Flaw in OTR Protocol (with workaround!)

Ian Goldberg ian at cypherpunks.ca
Thu Aug 4 14:41:13 EDT 2005


On Thu, Aug 04, 2005 at 02:35:35PM -0400, Ian Goldberg wrote:
> On Thu, Aug 04, 2005 at 01:36:01PM -0400, Evan Schoenberg wrote:
> > Currently:
> > OTR session with Alice
> > I exit my client (without selecting End Private Conversation, which  
> > is what happens with most users)
> > I reconnect
> > Alice says something.  Her client is currently in the Private state,  
> > with the previous secure session.
> > I get an encrypted message I can't read (sent using the encryption  
> > from the old secure session).
> 
> Note that this causes OTR to automatically restart if you're in
> Opportunistic mode.

And I forgot to say: which will also cause Alice's message to get
resent.

That being said, it's arguably more correct for gaim to disconnect its
contexts before exiting, and the patch is totally trivial, so I
committed it to CVS.  ;-)

   - Ian



More information about the OTR-dev mailing list