[OTR-dev] session termination
ian at cypherpunks.ca
Sun Apr 29 15:43:43 EDT 2007
One problem with dropping to FINISHED when you notice the other side
goes offline is that that notification is unauthenticated. An adversary
can trivially spoof a "Bob went offline" message, and it would be
unfortunate if that caused Alice to forget her session keys.
I also note that most IM networks, I'm pretty sure, don't tell Alice
when Bob goes offline if Bob isn't Alice's buddy, but I don't know how
often people chat with non-buddies in practice.
More information about the OTR-dev