[OTR-dev] Browser extensions for OTR

Ian Goldberg ian at cypherpunks.ca
Wed Jun 27 20:23:32 EDT 2012

On Wed, Jun 27, 2012 at 01:48:05PM -0700, Chris Ballinger wrote:
> I don't know enough about browser security to comment on that weakness but
> I would assume that under regular circumstances (no SSL MITM) no text is
> sent between your browser and Google until you hit send. I really would
> like to get more regular people using OTR but it seems like the main
> problem at this point seems to be changing people's habits.

No, the issue is that the javascript *on the GTalk page* might be
intercepting your typing and doing whatever with it (including sending
it back to Google).  Much in the same way that the Google search bar
"autocompletes" today by sending each keystroke back to Google.

   - Ian

More information about the OTR-dev mailing list