[OTR-dev] Clever logging for weechat_otr plugin (+ log management discussion)

Daniel ".koolfy" Faucon koolfy at koolfy.be
Wed Mar 13 07:35:51 EDT 2013 

Hello,

Some of you may know the OTR plugin for the weechat irc client.
I'm happy to announce that the project pulled a patch of mine to have a
more... healthy approach of OTR sessions logging.

https://github.com/mmb/weechat-otr

This approach being: *not* logging OTR sessions.

It has come to my attention that logs can actually be very harmful for
both parties involved, even if only one of those does log, and that
even encrypted logs are not safe in countries where you can be coerced
into decrypting your volumes (either physically or judicially).

Looking at the philosophy, or even the name of the "Off-the-record"
protocol, it makes sense to me that what happens inside an OTR session
is not meant to be logged. For any reason. The only reason why someone
would want to record an OTR conversation would probably be either to
harm someone else or as part of an unhealthy overall logging policy.

For those reasons, I wrote the patch with two core ideas in mind:

- Logging should be deactivated for the entire duration of the OTR
  session by *DEFAULT*, and the only way to re-activate it should be on
  a per-conversation basis, manually. I voluntarily refused to add an
  easy command to re-enabling the systematic logging of OTR
  conversations. Doing so is toxic to what OTR tries to
  achieve/provide, and most certainly only useful for malicious
  intents. I see no reason to write a single line of code to enable
  such dangerous behavior.

- The logging deactivation should happen as soon as the OTR session
  starts, and prevent any output from OTR to appear in the logs. The
  entire OTR session should appear like it never happenned. There
  should only be a blank in the logs where the OTR session took place.
  I see no reason to keep track of when one had an OTR conversation
  with who. This information is only useful to attackers.

I had to explain this philosophy to the upstream dev, but fortunately
he understood and pulled the patch as-is.

Now, This is all good news for weechat users but, realistically, I fear
the weechat OTR plugin is really not very widely used. If at all
(except for me and some friends).


So, I'd like to open the discussion on what every other OTR
implementation currently does in regard to logs, what should be done,
if we should uniformise a specific behavior from now on when creating
new plugins/implementations.

So here is what I know:

- weechat-otr now disables logs for the entire duration of the OTR
  session and restores the previous logging value after the OTR session
  is closed. this is by default. It can only be overridden within
  asingle OTR session with the /logger set command, and will be disabled
  again for the next OTR sessions.

- irssi-otr has no such feature whatsoever.

- pidgin-otr as a checkbox to disable logging of OTR conversations, but
  it's not checked by default.

- Jitsi has no option to disable logging of OTR conversations, or even
  for a given covnersation (OTR or not) Logging is pretty rigid and
  binary in this one.

- Gibberbot: ?? I think it doesn't log anything by default, not sure.


Regarding irssi-otr, I hear irssi's logging management is a bit...
rigid (one can't even configure it on a per-server basis, so per-buffer
seems unlikely). I think it can be done, but it would probably require
a lot of hacking, maybe even upstream patches/reworking? I really think
something should be done on the matter however. Would anyone here be
willing to a least write down the current limitations to work around
and the difficulties involved?

I think pidgin should enable the disabling of OTR logging by default.
There really is no legitimate reason to log those. It's dangerous. Most
pidgin users will probably not even encrypt logs, even less securely
delete them when necessary, so defaulting to a healthy practice is
probably a good idea and trivial to patch.

Jitsi needs *at least* a button somewhere to allow for disabling the
logging of a given conversation. As their OTR implementation is
integrated, logging policy patches will probably be harder to be pulled
upstream, but I'm sure they would understand... I'm more scared of how
much work would be needed to allow such fine-tuning of the logging
behavior as nothing indicates it was ever though as a possible usecase
anywhere in the software. But then again, I really think it's
necessary. I'm less comfortable with java development, though.


So, what do you guys think? Did I miss something? do you think there
are good reasons to log OTR conversations by default?
I'm sure a lot of users will initially complain that they can't find
some parts of their logs, anytime they enabled OTR, but we really
should push for a more responsible philosophy on how one should manage
its logs. Too much people log everything for YEARS without even
thinking of the implications.

Breaking their unhealthy habits may be the first step towards a global
realization that logging everything *will* at some point hurt the
people you interact with.


It's not up to the OTR protocol to define logging policies, so we must
make sure OTR implementations behave responsibly.


-- 
Daniel ".koolfy" Faucon

Tel: France : (+33)(0)658/993.700
PGP Fingerprint : 485E 7C63 8D29 F737 FEA2  8CD3 EA05 30E6 15BE 9FA5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20130313/ec182c65/attachment.pgp>

More information about the OTR-dev mailing list