[OTR-dev] /me bug

Thijs Alkemade me at thijsalkema.de
Tue Sep 10 17:03:40 EDT 2013


On 10 sep. 2013, at 22:35, Ian Goldberg <ian at cypherpunks.ca> wrote:
> 
> (Warning: it's been probably more than a decade since I looked at the
> irc low-level protocol.)
> 
> If the user types "/me nods", what do you *want* to get sent over the
> wire?
> 
> \001ACTION ?OTR:AAMD...
> 
> (which leaks that it *was* an action, and its approximate length)
> 
> \001PRIVMSG ?OTR:AAMD...
> 
> where the plaintext starts with "/me "?
> 
> 
> In any event, isn't it the case that the prpl-irc plugin can modify the
> plaintext of the action however it likes, raise sending-im-msg, and then
> massage the result however it likes?  (Some care will need to be taken
> to deal with fragmentation.)
> 
>   - Ian

Just to be clear, the unencrypted format is:

    PRIVMSG nick :\001ACTION foo.\001

When using OTR, one option is to send:

    PRIVMSG nick :\001ACTION ?OTR:...\001

And the other:

    PRIVMSG nick :?OTR:...

In a discussion on this list last december, the second option seems to have
been the favorite, but it was also noted that many clients don't handle this
properly.

Does the first one leak much information? Probably not, but it does give an
active attacker a possible way to mess up a conversation. A message can mean
something very different when "/me" is placed in front of it. Therefore I
think it should be encrypted.

Other CTCP commands are probably less interesting, maybe except those related
to DCC.

Regards,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20130910/cedc2a66/attachment.pgp>


More information about the OTR-dev mailing list