[OTR-dev] Pidgin buzz is not encrypted
Andre Bubel
ml at andre-bubel.de
Thu Mar 20 13:21:35 EDT 2014
Hi,
I noticed, that buzzing someone in Pidgin using OTR is not encrypted.
The bug report below is copied from Archimedes ticket under
https://developer.pidgin.im/ticket/11928
It was closed, because "This issue is caused by a third party plugin."
----
When using the OTR plugin for secure conversations, the
Attention/Buzz/Nudge? is send in plaintext instead of encrypted (at
least in jabber, can't tell for other protocols as ICQ doesn't work atm):
(23:56:30) The following message received from archimedes at jabber.*.de
was not encrypted: [Archimedes has buzzed you!]
Though this is just a minor leak of information, it should still be
avoided to preserve complete privacy of the conversation.
I guess this is a libpurple bug, as both the button and the /buzz
command show this behaviour.
In a short:
Steps to reproduce:
Start a chat
Enable OTR
Send /buzz or click "Attention!" Button
What happes:
Buddy gets an *unencrypted* buzz message
What is expected:
Buddy gets an *encrypted* buzz message
More information about the OTR-dev
mailing list