[OTR-users] Verification of OTR plugin for Trillian Pro

Aldert J.B.P. Hazenberg aldert at rotz.org
Thu Jun 29 08:22:13 EDT 2006 

Nikita Borisov wrote:
> On 6/29/06, Aldert J.B.P. Hazenberg <aldert at rotz.org> wrote:
>> Aldert J.B.P. Hazenberg wrote:
>> > Hi Guys and Girls,
>> >
>> > I noticed that Trillian Pro now has an OTR plugin as well !
>> > (this time Twan of is the cool guy :) found emails from him in otr-dev)
>> >
>> > http://www.ceruleanstudios.com/downloads/detail.php?item=378
>> >
>> > Again question I have about this :
>> >
>> > 1. As it seems to me that this plugin is written by somebody not in
>> >    the "core" OTR team, should the code not be checked for "issues" ?
>> >
>> >    I cannot find the source code of the plugin, something that makes
>> >    it even harder to check I guess :)
>> >
>> > 2. Even if the code is ok, how can i be sure that the ddl supplied is
>> >    built from that code ? (as the dll is not supplied by the OTR team)
> 
> I think whether the DLL is supplied by us or someone else is not
> really the issue; if you want to make sure that code you are running
> doesn't have "issues," you probably want to check and compile all your
> own software.  Obviously, you won't be able to do that with Trillian
> since the source code is available, and it sounds like the plugin has
> similar problems.  There isn't much we can do about it, whether you
> decide to use the plugin or switch to another IM program is up to you.
> 
I think whether any DLL is supplied by the OTR team or not is very much
an issue, (implicit) web of trust at work here where your and Ian's
reputation are at stake where both of you are known not just by me but
by the (security) community at large.

Checking and compiling everything yourself sounds like a good argument
but that would limit the number of people using OTR to ???? 5000 people
world wide or so that (can) understand all aspects involved.

And of course if your paranoia level is set high enough you should not
use computers at all :)

Do I understand through your answer that the OTR team does not keep an
eye on any OTR implementations not supplied by the OTR team (including
the OTR in AdiumX) ?

Aldert.

ps, No, my intention of my emails it -not- to cry "Useless!!" but to
    comprehend what is happening with the OTR 'concept' outside the
    OTR team

More information about the OTR-users mailing list