[OTR-dev] Fwd: OTR integration

Paul Wouters paul at cypherpunks.ca
Mon Aug 26 13:03:18 EDT 2013


On Mon, 26 Aug 2013, Jurre van Bergen wrote:

Hi Tomek,

> From: Jurre van Bergen <drwhax at 2600nl.net>
> To: otr-dev at lists.cypherpunks.ca
> Subject: [OTR-dev] Fwd: OTR integration
> 
> FYI

> I'm currently working on OTR integration into 3.0.0 tree. I see three
> possible solutions for it:
> 
> - enabling it by default: otr plugin seems to be well written and
> doesn't cause crashes, so it won't be the new source of stability
> problems. I just have one concern in mind: it will alter UI a bit, in
> a way that vast majority of users won't utilize - it will be a clutter
> for them

Is it that much of a change? I think it is good that they see when a
connection is insecure. Especially for inexperienced users.

> - to track for "?OTRvxx?" tag (it indicates an OTR packet) in messages
> and ask user, if he wants to enable the plugin. It would show up only,
> when Pidgin was built with otr support. Also, after the first query,
> it would set a hidden pref, so it won't ask the user again. I think
> this will cover all use cases, because for incoming messages it will
> be easy to set it up. User, who would like to start an outgoing OTR
> conversation (for the first time), will be experienced enough to
> enable it manually.

The whole design of OTR has been to ensure that one does NOT have to be
an "experienced user". That is the whole reason the world is in such a
sad state of deploying crypto and why the NSA/GCHQ can have so much data
about is.

> I prefer the second one, but I would like to see other opinions.

Please keep the status of the OTR security of a connection visible so
people can go from insecure to secure. It is not "clutter". It shows a
deficiency in their conversion - someone is recording it without
consent!

Related, I don't know if the plugin can have precedence/ordering yet,
but currently when one types "/me is accidentally leaking information"
that gets leaked plaintext due to bad interaction between the irc plugin
("/me" is not a valid command, send it out unmodified) and the otr
plugin.

Regards,

Paul



More information about the OTR-dev mailing list