[OTR-dev] Clever logging for weechat_otr plugin (+ log management discussion)

Daniel ".koolfy" Faucon koolfy at koolfy.be
Wed Mar 13 17:58:09 EDT 2013 

On Wed, 13 Mar 2013 05:05:05 -0700
Gregory Maxwell <gmaxwell at gmail.com> wrote:
> In the hierarchy of risks out there the
> number-one-forty-foot-tall-hoking-gorilla risk for users is that they
> DO NOT USE ENCRYPTION AT ALL.

Of course, encryption can never work when it's not used :)


> All of this has the consequence that when you make authentication or
> anti-logging more invasive you produce a small benefit for the tiny
> number of users who meet _all_ of these criteria:
> 
> * will always use OTR, even it gets in their way
> * won't get auth or logging right without the change
> * are exposed to the kind of risks the change addresses (active
> attackers / log capture)
> * those risks don't moot the protection (log grabber also installs key
> logger, active attacker intercepts webpages and gives them trojans)
> 
> With the risk of discouraging the use of security technology for
> _everyone_ (including those people).
> 
> I think almost any reasonable estimate of the relative population and
> risk sizes results in a conclusion that just about any discouragement
> is not acceptable.

I had a chat with a few people on that, and while I agree on the
premise, I think in this case, the risk of people logging OTR
conversations by accident or by negligence if actually far greater than
scaring them.
In fact, not logging OTR conversations is fairly transparent for the
user, most users won't notice until some day they will look for an OTR
conversation in their logs --probably not that often for lambda users.

I agree that we should avoid scaring non-savvy users at (almost) all
cost, but we are dealing with a serious mid-to-long term security issue
here, and I think the benefit is non-negligible when you see how small
the probability of actually resulting in an immediate dissuasion for
any user are.

This is also why I am all in favor of the possibility of easily
switching to logging the conversation on more mainstream clients (like
pidgin or Jitsi).
I refused to do so on weechat because weechat and irssi don't exactly
aim at easily-scared people. If they chose those clients, they are
bound to accept a little smaller usability/security ratio :)

But even then, if the "default to not logging' patch was refused, I'd
probably have done exactly this as a reasonable compromise. I jsut
dislike the idea of being responsible for dangerous behaviors...

> 
> So instead I advocate that increased security take the form of
> additional alerts and modes that savvier/higher-risk can opt into
> without making basic cryptographic protection less attractive.  For
> example, don't require disabling logging for OTR— instead add a
> no-logging mode where both parties, if running compliant software, do
> not log. (if remote party is hostile this can't help in any case) Let
> either user in a conversation trigger that mode, and if you turn it
> back off your chat partner finds out about it.   Allow peer partner
> preferences "require logging off for this party", just like we have
> for authentication.

See my criticism on Greg Troxel's suggestion of adding such
notifications in the OTR protocol itself.

My main complain is we start trying to provide information on something
we have no real control over, and this can easily become deceptive, and
create false sense of security, with a little social engineering. 

> 
> But for heavens sake, please don't add yet another reason for people
> to not use OTR at all.

This is the last thing I want to do.
But I am sincerely afraid of the consequences of a world where
*everyone* encrypts his conversation only to log *everything* to disk
in cleartext.

By compromising ONE computer, you get information on EVERYONE this
person has ever been in contact with, including every encrypted
conversation.

When facing an encrypted conversation, the attacker now knows that the
only thing he needs is wait a little time, steal/seize the target's
computer, and calmly read through every conversation he wouldn't ever
have been able to spy on in the first place (things predating his
passive surveillance, things gone through Tor and off their radar, etc).

This is terrifying to me.

-- 
Daniel ".koolfy" Faucon

Tel: France : (+33)(0)658/993.700
PGP Fingerprint : 485E 7C63 8D29 F737 FEA2  8CD3 EA05 30E6 15BE 9FA5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20130313/38d19efe/attachment.pgp>

More information about the OTR-dev mailing list