[OTR-dev] Browser extensions for OTR
garulf
garulf at autistici.org
Thu Jun 28 03:18:02 EDT 2012
Il 28/06/2012 02:23, Ian Goldberg ha scritto:
> On Wed, Jun 27, 2012 at 01:48:05PM -0700, Chris Ballinger wrote:
>> I don't know enough about browser security to comment on that
>> weakness but I would assume that under regular circumstances (no
>> SSL MITM) no text is sent between your browser and Google until
>> you hit send. I really would like to get more regular people
>> using OTR but it seems like the main problem at this point seems
>> to be changing people's habits.
>
> No, the issue is that the javascript *on the GTalk page* might be
> intercepting your typing and doing whatever with it (including
> sending it back to Google). Much in the same way that the Google
> search bar "autocompletes" today by sending each keystroke back to
> Google.
No, if the typing is in a separate iframe (with a different domain
origin) gtalk page (or someone tampering gtalk page) can't intercept
your type.
By the way someone can't tamper the page to present a layout of the
page that is very similar to the one of the add-on, this way can
"fish" you to type in a iframe that isn't the one of the add-on. By
the way if you add a unique image (maybe derived one-way from your
secret key) you can always verified that you are typing on the right
iframe (this image never go on the net).
G.
More information about the OTR-dev
mailing list