[OTR-dev] Is "Version rollback" attack fixed in 4.0?
Ague Mill
ague at mailoo.org
Mon May 7 12:44:26 EDT 2012
Hi!
I am glad to see OTR development (visibly) moving foward again! :)
From a quick look at commit logs in libotr repository, I have not
been able to figure out if the future version 4.0 is still vulnerable to
the "Version rollback" attack that was described in the paper
"Finite-State Security Analysis of OTR Version 2" [1] by Joseph Bonneau
and Andrew Morrison.
[1] http://www.jbonneau.com/OTR_analysis.pdf
Has this been fixed already? And if it has not, would it be hard to
prevent two clients to switch back to an earlier version of the
protocol?
Thanks,
--
Ague
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20120507/db46b557/attachment.pgp>
More information about the OTR-dev
mailing list