[OTR-dev] session termination

Marti Raudsepp marti at juffo.org
Sun Apr 29 20:46:08 EDT 2007

On 4/29/07, Ian Goldberg <ian at cypherpunks.ca> wrote:
> One problem with dropping to FINISHED when you notice the other side
> goes offline is that that notification is unauthenticated.  An adversary
> can trivially spoof a "Bob went offline" message, and it would be
> unfortunate if that caused Alice to forget her session keys.

But does it really matter? When the attacker already has the
capability of spoofing messages on behalf of the IM network, then
surely they could also just disrupt (deny) communication between the
parties -- which is effectively the same as far as I can tell.


More information about the OTR-dev mailing list