[OTR-dev] Clever logging for weechat_otr plugin (+ log management discussion)

Thijs Alkemade me at thijsalkema.de
Thu Mar 14 11:04:02 EDT 2013


On Thu, Mar 14, 2013 at 01:54:24PM +0000, Michael Rogers wrote:
> On 13/03/13 12:05, Gregory Maxwell wrote:
> > All of this has the consequence that when you make authentication
> > or anti-logging more invasive you produce a small benefit for the
> > tiny number of users who meet _all_ of these criteria:
> > 
> > * will always use OTR, even it gets in their way * won't get auth
> > or logging right without the change * are exposed to the kind of
> > risks the change addresses (active attackers / log capture) * those
> > risks don't moot the protection (log grabber also installs key 
> > logger, active attacker intercepts webpages and gives them
> > trojans)
> > 
> > With the risk of discouraging the use of security technology for 
> > _everyone_ (including those people).
> 
> Your unstated asssumptions are that if logging is disabled by default,
> (a) users will be surprised, (b) users will be annoyed, and (c)
> existing OTR users will stop using OTR rather than enabling logging.
> 
> I think all three assumptions are false. Anyone who chooses OTR does
> so because they want to have a confidential and/or deniable
> conversation. Anyone can understand how keeping logs could undermine
> those properties. So there's no reason for users to be surprised or
> annoyed that OTR conversations aren't logged (I'm suprised and annoyed
> that they are!).
> 
> If an existing OTR user wants to log an OTR conversation, despite
> knowing that they're undermining the benefits of OTR by doing so, they
> can enable logging on a per-conversation basis. The only people for
> whom it's safe to log by default are those who encrypt their logs.
> Since OTR can't determine whether you're one of those people, it
> shouldn't assume that you are.
> 

End-to-end encryption and confidentiality are orthogonal features, in my 
opinion.

In my browser, I try to maximize the usage of SSL. Banking information or 
login credentials being stolen are dangerous problems that I want to avoid.

On the other hand, I have private browsing/incognito mode for those websites 
I would not want to keep around in my browser history.

I don't find it necessary to require both at the same time: I'm happy with 
my browser suggesting my bank from my history (hey, saves me the risk of 
some typos) and I'm fine with private browsing happening without SSL, if 
that's not available.

I think the situation for OTR and logging is exactly the same: I use OTR if 
I don't want my conversations to be read by Google, Microsoft or the US 
government. I'm not using OTR to be able to pretend that the conversation 
never took place. But when I do want that, I make a separate, concious, 
decision to also turn logging off.

The fact that OTR can make people more secure if they want to, doesn't mean 
that it should make things extra difficult for people who are not interested 
in that.

If we ever switch to not logging OTR by default (or off by default but can 
be turned on for one chat), then I'm also going to add warnings to OTR 
invitations discouraging people from accepting the invitation unless they 
know what OTR is (and know more than just "OTR is encryption for your 
chats").

You say people choose OTR for its confidentiality and/or deniability, but 
that means that we will have to ensure that it is not used by the people who 
do not want those features, but only encryption. I think that is exactly the 
wrong direction for OTR to go, I want more people to use it, not less.

Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 938 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20130314/9a46381b/attachment.pgp>


More information about the OTR-dev mailing list