[OTR-dev] OTR, keyservers, MITM, etc.

Gregory Maxwell gmaxwell at gmail.com
Tue Aug 18 07:34:56 EDT 2009

On Tue, Aug 18, 2009 at 6:35 AM, <chris-tuchs at hushmail.com> wrote:
> Here's version 4.
> The basic plan is to use multiple servers as a secondary channel
> to detect MITM attacks.  The kernel of the protocol is just
> "Alice and Bob post the fingerprints of both their DSA keys to
> public servers, check that the fingerprints match, and that
> there are no conflicting claims."

As you are aware— This process leaks the fact that Alice and Bob are
communicating to anyone who can intercept the keyserver's traffic.
Today this information may only be available to the IM server operator
(esp. consider if the client<->im server link is SSL protected as is
common with jabber).  Passively traffic analysis is a less serious
break but it is also a more common, more easily, and more safely
executed attack than MTIM. The use of a separate channel for
validation (especially an unsecured one!) is unlikely to foil MTIM,
but it is likely to foil proxying, including attempts to run IM via

I don't think that its great to trade one weakness for another.

This also appears to be vulnerable to another, partially sociological,
type of attack:

An attacker unable to perform actual MTIMs against OTR can trigger
MTIM warnings, causing users to use different transports.

(*) Eve sends spoofed Alice/Bob identifiers to the keyserver
(*) Alice and Bob attempt to communicate, using SMP authenticated
mtim-resistant OTR, but get a nasty warning message
(*) Alice and Bob switch to some other method, perhaps plantext, that
eve is more able to monitor.

I'm unsure about the threat model. We have Alice, and Bob who are
trying to communicate via Isaac. Because Alice and Bob are concerned
Isaac may be compromised they consult one or more third parties. The
process dose not increase security if the MITM, Mallory, is located
close to Alice or Bob and can therefore intercept communications with
the third parties.

Am I right?   Is this really a significant threat model for second
life?  I think that for the general IM case we're mostly concerned
with MITM who can position themselves close to Alice and/or Bob and
probably modify more than just their IM traffic.

More information about the OTR-dev mailing list