[OTR-dev] Clever logging for weechat_otr plugin (+ log management discussion)

Daniel ".koolfy" Faucon koolfy at koolfy.be
Thu Mar 14 11:24:43 EDT 2013


On Thu, 14 Mar 2013 07:36:48 -0700
Gregory Maxwell <gmaxwell at gmail.com> wrote:


> OTR should be integrated and on by default in software and
> opportunistically enabled without request— and it _is_. Without this I
> wouldn't be able to use OTR in all my chat conversations because it
> would be too hard to nag all the remote parties to install and enable
> it,
[snip]

So on one end of the spectrum, we have people mostly using cleartext
conversations, and turning OTR on when they want to have a
confidential/private conversation. Those probably want those OTR
conversations to be off the logs.

On the other end of the spectrum, we have users who, like you, use OTR
on every single conversation they have (or close), and thus, under a
"no-log-by-default" policy, will end up with no logs at all, even for
less "confidential" conversations. Those probably want the opposite:
log OTR sessions by default (since that's how most of they everyday
conversation happen), and disable logs for those few very sensitive
conversations. (or not at all, if they believe encryption is enough of
a logging policy --I don't.)


Now, realistically, on what end of the spectrum are currently 95% of
OTR users around the world?

We could have the "hey, I really want to log OTR conversations by
default, I know what I'm doing, trust me I'll disable logs when I
really need to!" button, but if it's there, there is too much of a risk
that most people will enable it without much of a though, without
understanding what they are doing or the implications, or even forget
they enabled logs for everything ever.


Eventually, when OTR is the default everywhere, this button might be
more useful or reasonable.
(...Unless we educate people to only enable logs for very specific
conversations, even if they have encryption. I think this is what
people call "defense-in-depth".)


What would you all thing of this solution:

- By default, no OTR logs are generated.
- There is a way to enable logging of an OTR conversation. Logging of
  later OTR sessions will revert to "OFF" unless the user switches them
  to ON again.
- There is a configuration option permanently allow the systematic
  logging of OTR sessions, but it has to be enabled manually.
- When an OTR session starts and will be logged, a warning is shown to
  the user, reminding this conversation will be logged and that this is
  potentially dangerous to both parties.
- When an OTR session starts and will *NOT* be logged, a warning is
  shown to the user, reminding this conversation will not be logged.

That way:
- Most users won't log by accident unless they specifically asked the
  OTR implementation to do so.
- Users can't forget about a "logging" switch left to "ON" because they
  will be reminded every time.
- Users can't be surprised no logs are being kept because they are
  warned every time.
- Users are reminded that leaving logging ON is dangerous (some might
  not think about it), everytime they leave logging ON.


I won't like implementing the "please log every OTR conversation"
setting, but I think that way, *all* concerns expressed here are
effectively addressed.

Also, this behavior fits every profile in the spectrum. Even a "OTR is
widespread and used en-masse" scenario.


If we agree on this I'll get to work on implementing exactly this for
weechat-otr, maybe try writing little patches for pidgin-otr, and ask
jitsi if they would agree on such a policy for their OTR integration.

-- 
Daniel ".koolfy" Faucon

Tel: France : (+33)(0)658/993.700
PGP Fingerprint : 485E 7C63 8D29 F737 FEA2  8CD3 EA05 30E6 15BE 9FA5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20130314/6b3cfe52/attachment.pgp>


More information about the OTR-dev mailing list