[OTR-users] Fantastic ... and a bug?

Ian Goldberg ian at cypherpunks.ca
Mon Dec 13 15:46:05 EST 2004


On Mon, Dec 13, 2004 at 02:56:33PM -0500, Gregory Maxwell wrote:
> I'm thrilled to find OTR, as it has exactly the cryptographic
> properties I desire in a chat system...

Welcome!  (I notice you haven't joined otr-announce; you should
probably do that.)

> It would be nice if there was
> a facility to authenticate OTR signature keys using GPG so users could
> leverage an existing web-of-trust, but I guess thats easy enough to do
> by hand.

That's what we figured, too; it only needs to be done once.

> Most of my aim using friends are windows (mostly gaim though), not
> online, or center icq users.. so I haven't been able to test it yet,

Paul is apparently Very Close to having OTR working on Windows gaim. ;-)

> but I did try establishing an OTR conversation with myself... 
> Whenever I transmit I get  " ?OTR Error: You transmitted a malformed
> data message"

Yeah, that's really unlikely to work (sending messages to yourself).
Unless you make more than one AIM account; I just tried that, and it
works fine in that case.

In any event, I'm currently online as "otr4ian" on AIM if you'd like
to try it out.

> I haven't looked at the source code, so I'll assume that OTR doesn't
> already, but it might be useful from a privacy standpoint to insert
> some amount of random padding in the messages to help disguise the
> length of messages.

The protocol actually supports that (though that should be made clear in
the Protocol document): the cleartext message can be NUL-padded to any
length.  But the plugin doesn't actually add any padding; it turns out
it's surprisingly difficult to statistically protect messages well via
random padding.  Padding up to a fixed size is much better, but then
you need to choose a size that (a) will accomodate any message you're
going to send, (b) is within your pain tolerance of "wasteful", and
(c) will fit within the maximum size limits of IMs on various networks.

Thanks for your interest!

   - Ian



More information about the OTR-users mailing list