[OTR-users] new user, comments on authentication

Ian Goldberg ian at cypherpunks.ca
Mon Nov 26 18:35:42 EST 2007


On Sun, Nov 25, 2007 at 05:20:59PM -0600, Harlan Iverson wrote:
> For my friends, they just 'knew' at the time that they were talking to me,
> so authenticating using a shared secret was not something that they cared to
> investigate further.

How could they possibly know this?  Without doing some kind of
authentication (either the manual fingerprint check or the shared
secret), there's no way to distinguish a working OTR connection and one
that's going through a MITM (say, the automated OTR MITM plugin for
ejabberd: http://www.ejabberd.im/mod_otr ).

   - Ian



More information about the OTR-users mailing list