[OTR-dev] Flaw in OTR Protocol (with workaround!)

Len Sassaman rabbi at abditum.com
Fri Aug 12 19:38:59 EDT 2005


(Sorry for top-posting...)

This brings up a similar UI annoyance that I keep encountering. There is a
frequent error message that occurs, saying "User has sent a malformed
message." This error message is displayed to both parties after every
transmission, and the only way I've found to eliminate it is to have both
parties restart otrproxy.

Perhaps we need to look at improving the quality of the error messages
(things like "you've sent a malformed message" don't really make sense to
most users, and certainly don't give any hint as to what to do about it --
what's the threat? what's the solution? Even I can't figure that out) as
well as improving the delivery of the error messages. There has to be some
other method of presenting warnings to the user without making the IM
program effectively unusable, unless that's the goal, in which case, the
IM client shouldn't be allowed to send messages out in the first place.

Perhaps otrproxy pop-up windows are a better place to put these sorts of
messages.


--Len.

On Thu, 4 Aug 2005, Evan Schoenberg wrote:

> This just happened, thought it was clearly illustrate both the
> problem under discussion and a related issue:
>
> <I'm in an OTR session with OtherUser, both of us are on Manual>
> 2:45:31 PM OtherUser: brb
> OtherUser disconnected (2:45:32 PM)
> OtherUser connected (2:49:00 PM)
> 2:49:45 PM OtherUser: The following message received from OtherUser
> was not encrypted: [and we're back
> 2:49:52 PM tekjew: and this.
> 2:49:52 PM OtherUser: ?OTR Error: You sent encrypted data to
> OtherUser, who wasn't expecting it.
> 2:49:53 PM tekjew: is
> 2:49:53 PM OtherUser: ?OTR Error: You sent encrypted data to
> OtherUser, who wasn't expecting it.
> 2:49:54 PM tekjew: what
> 2:49:54 PM OtherUser: ?OTR Error: You sent encrypted data to
> OtherUser, who wasn't expecting it.
> 2:50:00 PM tekjew: I mean, Ian.
> 2:50:00 PM OtherUser: ?OTR Error: You sent encrypted data to
> OtherUser, who wasn't expecting it.
> Ended encrypted OTR chat. (2:50:02 PM)
> 2:50:03 PM OtherUser: ?OTR Error: You sent encrypted data to
> OtherUser, who wasn't expecting it.
> 2:50:07 PM tekjew: hehe
> 2:50:08 PM tekjew: perfect!
> 2:50:12 PM tekjew: thanks for letting me demo that :)
>
> So OtherUser quit and then reloaded.  He sent me an unencrypted
> message... fine so far, that's to be expected.  But when I sent "and
> this." I would have wanted the Magic Opportunistic (Private/Broken)
> mode to take effect and renegotiate a session.
>
> Note the other interesting oddity, though I can see why it would
> happen -- When I did click "End encrypted session" locally, the
> encrypted 'closed' packet was sent to OtherUser, and then I was told
> that I sent encrypted data.  Most users would be very confused by
> this particular bit of information, since as far as they know they
> didn't send any data to the other user.
>
> -Evan
>
>
> On Aug 4, 2005, at 2:41 PM, Ian Goldberg wrote:
>
> > On Thu, Aug 04, 2005 at 02:35:35PM -0400, Ian Goldberg wrote:
> >
> >> On Thu, Aug 04, 2005 at 01:36:01PM -0400, Evan Schoenberg wrote:
> >>
> >>> Currently:
> >>> OTR session with Alice
> >>> I exit my client (without selecting End Private Conversation, which
> >>> is what happens with most users)
> >>> I reconnect
> >>> Alice says something.  Her client is currently in the Private state,
> >>> with the previous secure session.
> >>> I get an encrypted message I can't read (sent using the encryption
> >>> from the old secure session).
> >>>
> >>
> >> Note that this causes OTR to automatically restart if you're in
> >> Opportunistic mode.
> >>
> >
> > And I forgot to say: which will also cause Alice's message to get
> > resent.
> >
> > That being said, it's arguably more correct for gaim to disconnect its
> > contexts before exiting, and the patch is totally trivial, so I
> > committed it to CVS.  ;-)
> >
> >    - Ian
> > _______________________________________________
> > OTR-dev mailing list
> > OTR-dev at lists.cypherpunks.ca
> > http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
> >
> >
>
>

--Len.











More information about the OTR-dev mailing list