[OTR-users] new user, comments on authentication

Harlan Iverson h.iverson at gmail.com
Mon Nov 26 20:47:36 EST 2007


Ian,

We didn't 'know' for sure, hence the quotes. When you chat with a person
regularly you pick up on their grammar, slang usage, punctuation, etc. It's
not scientific, but it's certainly relevant to my experience with the
authentication process and I'll explain. They already 'know' they're talking
to me, and I already 'know' I'm talking to them based on those factors,
combined with the minuscule probability that we are targets of covert
surveillance or subject to a MITM attack. Others might not be so safe in
those assumptions.

You are correct that we certainly do not know with 100% certainty, and this
is the reason I would like authentication to be more accessible. As it
stands right now, authenticating properly feels like an extra, unnecessary
step because 1) There is the aforementioned assumption that the person is
who you think it is, and 2) the "OTR: Private" icon can easily be displayed
without going through that step, by blindly confirming the other party's
fingerprint. I realize in theory there is some chance that is not correct,
but the average user doesn't think that way. If a way can be found to make
it easier, why not explore it?

The conversations have all gone something like this:

Me: Hey, have you heard about Off The Record?
Them: No, what's that?
Me: [explanation of encryption, authentication, deniability, perfect forward
secrecy, link to website with gaim plugin]
Them: Cool [download and enable]
OTR Started, make sure to verify and authenticate
Me: Alright, lets authentication with the ____ of _____
Them: Alright, it says Private. cool
Me: Did you use the pass phrase?
Them: I don't know, but it says private.
Me: Did you get any kind of dialog or anything? It says it's waiting.
Them: It says it's private, so it must have worked.
Me: Here, I'll cancel it. Try going to Authenticate and typing in the answer
to that question
Them: I don't know, it says it's private though.
[by this time I'm feeling like a pain in the ass and drop it, because I have
my false sense of certainty that it's them anyway]

Nobody wants to feel like a pain in the ass, and by having felt that way
three times now it's seeming like a usability issue. I'm not trying to
insult your work or be a pebkac, I do honestly want to see *everyone *adopt
secure and private messaging. You can write it off as me and everyone I've
shared it with being clueless if you wish, I just thought I'd try to help
out.

Best regards,
Harlan




On Nov 26, 2007 5:35 PM, Ian Goldberg <ian at cypherpunks.ca> wrote:

> On Sun, Nov 25, 2007 at 05:20:59PM -0600, Harlan Iverson wrote:
> > For my friends, they just 'knew' at the time that they were talking to
> me,
> > so authenticating using a shared secret was not something that they
> cared to
> > investigate further.
>
> How could they possibly know this?  Without doing some kind of
> authentication (either the manual fingerprint check or the shared
> secret), there's no way to distinguish a working OTR connection and one
> that's going through a MITM (say, the automated OTR MITM plugin for
> ejabberd: http://www.ejabberd.im/mod_otr ).
>
>   - Ian
> _______________________________________________
> OTR-users mailing list
> OTR-users at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20071126/c1282050/attachment.html>


More information about the OTR-users mailing list