[OTR-dev] session termination

Ian Goldberg ian at cypherpunks.ca
Sun Apr 29 15:43:43 EDT 2007

One problem with dropping to FINISHED when you notice the other side
goes offline is that that notification is unauthenticated.  An adversary
can trivially spoof a "Bob went offline" message, and it would be
unfortunate if that caused Alice to forget her session keys.

I also note that most IM networks, I'm pretty sure, don't tell Alice
when Bob goes offline if Bob isn't Alice's buddy, but I don't know how
often people chat with non-buddies in practice.

   - Ian

More information about the OTR-dev mailing list