[OTR-users] new user, comments on authentication

Ian Goldberg ian at cypherpunks.ca
Mon Nov 26 21:15:26 EST 2007 

On Mon, Nov 26, 2007 at 07:47:36PM -0600, Harlan Iverson wrote:
> Ian,
> 
> We didn't 'know' for sure, hence the quotes. When you chat with a person
> regularly you pick up on their grammar, slang usage, punctuation, etc. It's
> not scientific, but it's certainly relevant to my experience with the
> authentication process and I'll explain. They already 'know' they're talking
> to me, and I already 'know' I'm talking to them based on those factors,
> combined with the minuscule probability that we are targets of covert
> surveillance or subject to a MITM attack. Others might not be so safe in
> those assumptions.

But that's just it: with a MITM attack, you *really are* talking to your
friend.  You'll get all the grammar, slang, etc. that you expect from
your friend.  But the IM server operator is also logging your
supposedly private conversation.

> You are correct that we certainly do not know with 100% certainty, and this
> is the reason I would like authentication to be more accessible. As it
> stands right now, authenticating properly feels like an extra, unnecessary
> step because 1) There is the aforementioned assumption that the person is
> who you think it is, and 2) the "OTR: Private" icon can easily be displayed
> without going through that step, by blindly confirming the other party's
> fingerprint. I realize in theory there is some chance that is not correct,
> but the average user doesn't think that way. If a way can be found to make
> it easier, why not explore it?

Indeed, you're right.  As I mentioned in another post, we're currently
doing user studies in order to see where the user issues with OTR are,
so we can improve them.

> The conversations have all gone something like this:
> 
> Me: Hey, have you heard about Off The Record?
> Them: No, what's that?
> Me: [explanation of encryption, authentication, deniability, perfect forward
> secrecy, link to website with gaim plugin]
> Them: Cool [download and enable]
> OTR Started, make sure to verify and authenticate
> Me: Alright, lets authentication with the ____ of _____
> Them: Alright, it says Private. cool

If it says "Private" (as opposed to "Unverified"), then he must have
successfully authenticated.  Unless he somehow found the
"Authenticate Buddy" > "Advanced" > "I have" sequence?

> Nobody wants to feel like a pain in the ass, and by having felt that way
> three times now it's seeming like a usability issue. I'm not trying to
> insult your work or be a pebkac, I do honestly want to see *everyone *adopt
> secure and private messaging. You can write it off as me and everyone I've
> shared it with being clueless if you wish, I just thought I'd try to help
> out.

We're really happy with your user reports, for sure!  We also want to
see all messaging be secure and private.  Ideally, it'll be that way by
default, and without the user even knowing it.  [Of course, the user
won't be able to defend against MITM in that situation, but they'd be no
worse off than they are now.]

Thanks,

   - Ian

More information about the OTR-users mailing list