[OTR-users] Flaw in OTR Protocol (with workaround!)

The OTR Dev Team otr at cypherpunks.ca
Sun Jul 24 10:55:04 EDT 2005


Well, this is the benefit of open protocols and open source.  :-)

Researchers from the Universita di Cantania (Italy) and IBM have looked
at the OTR protocol, and pointed out a flaw, which is this:

If Alice tries to communicate with Bob, Mallory (an active attacker) can
make Bob _think_ he's talking to Mallory, when he's actually talking to
Alice.  Alice correctly knows she's talking to Bob.  Note that Mallory
can't actually _read_ the messages between Alice and Bob.

For example, if Bob thinks he's talking to Mallory, he may tell her
something in confidence he would not want Alice to hear.  Note that
although Mallory could relate this confidential information to Alice
herself, but in the attack scenario Alice has assurance that the
message came from Bob rather than having to take Mallory's word for it.

There's a simple temporary workaround: Alice should say "Hi, this is
Alice." at the beginning of the conversation, alerting Bob to any
possible attack.  Likewise, Bob should identify himself to prevent
the attack in the opposite direction.

But in the longer term, we're going to fix the protocol to prevent the
attack in the first place.  Unfortunately, this will mean changing the
wire protocol, which will cause incompatibility.  The current plan is
for the next version of libotr to support both the current and new
protocols (with an option to disallow the current protocol); if you
communicate with someone speaking the current protocol, it will let you
know that you should confirm your identity with the other person.  [Note
that in the attack scenario, the people communicating are not "in on"
the attack, so simply mentioning your own name inside the OTR
conversation is sufficient.]

As a side effect, if anyone's got other enhancements to OTR in the wings
that would require wire protocol changes, now's the time to speak up.  :-)

- The OTR Dev Team

[Note that Ian and Kat will shortly be off the net until Monday evening,
but Nikita may be around.]



More information about the OTR-users mailing list