[OTR-dev] Security guarantee of OTR AKE

Nick Guenther nguenthe at uwaterloo.ca
Fri Dec 11 16:09:29 EST 2015

On December 11, 2015 1:19:20 AM EST, "U.Mutlu" <um at mutluit.com> wrote:
>So, my question is: does OTR protect against impersonation and MITM
>in the AKE phase? Or is it a TOFU protocol like SSH?

This is what the "verify" steps are for. You trade a secret key with someone and ask them to enter it, or you ask them a question only they could know. That's the idea, at least. In practice I've found that these options are unusable, because in the second your partner needs to spell their answer exactly as you intended and they always miss a capital or a period, and in the first you need an out of band channel or to meet up first.

The third verification option, just accepting blindly, makes OTR a TOFU protocol.  This is what I do most of the time, even when my friends' clients change (and now you all know to MITM me, I guess).  Or, if you do meet up in person, you can just verify fingerprints instead of trading a key to verify later. Xabber even lets you trade fingerprints via QR code.
Nick Guenther
4B Joint Stats/CS
University of Waterloo

More information about the OTR-dev mailing list