[OTR-dev] Clever logging for weechat_otr plugin (+ log management discussion)

Gregory Maxwell gmaxwell at gmail.com
Wed Mar 13 08:05:05 EDT 2013

On Wed, Mar 13, 2013 at 4:35 AM, "Daniel ".koolfy" Faucon"
<koolfy at koolfy.be> wrote:
> It has come to my attention that logs can actually be very harmful for
> both parties involved, even if only one of those does log, and that
> even encrypted logs are not safe in countries where you can be coerced
> into decrypting your volumes (either physically or judicially).

Yep. Logging has risks.


> - Logging should be deactivated for the entire duration of the OTR
>   session by *DEFAULT*, and the only way to re-activate it should be on
>   a per-conversation basis, manually.

In the hierarchy of risks out there the
number-one-forty-foot-tall-hoking-gorilla risk for users is that they

This means that their conversations can be _automatically_ _passively_
_undetectably_ collected and stored forever by _anyone_ with access to
the communication channel, with very little cost.  It means that their
more security savvy friends who would choose to use encryption
_cannot_ because their friends don't use it. It means that because
encryption is less commonly used it frequently fails to work right
which means an active attacker can trivially and without leaving
evidence force not-ultra-paranoid encryption users to turn off their
encryption just by jamming the crypto.

People greatly discount security risks, the harms are distance and
non-specific. The attackers are invisible. 99% of the time even high
profile targets are not being attacked.

All of this has the consequence that when you make authentication or
anti-logging more invasive you produce a small benefit for the tiny
number of users who meet _all_ of these criteria:

* will always use OTR, even it gets in their way
* won't get auth or logging right without the change
* are exposed to the kind of risks the change addresses (active
attackers / log capture)
* those risks don't moot the protection (log grabber also installs key
logger, active attacker intercepts webpages and gives them trojans)

With the risk of discouraging the use of security technology for
_everyone_ (including those people).

I think almost any reasonable estimate of the relative population and
risk sizes results in a conclusion that just about any discouragement
is not acceptable.

So instead I advocate that increased security take the form of
additional alerts and modes that savvier/higher-risk can opt into
without making basic cryptographic protection less attractive.  For
example, don't require disabling logging for OTR— instead add a
no-logging mode where both parties, if running compliant software, do
not log. (if remote party is hostile this can't help in any case) Let
either user in a conversation trigger that mode, and if you turn it
back off your chat partner finds out about it.   Allow peer partner
preferences "require logging off for this party", just like we have
for authentication.

But for heavens sake, please don't add yet another reason for people
to not use OTR at all.

More information about the OTR-dev mailing list