[OTR-users] Re: automatic end-private on logoff?
Robert Eden
rmeden at gmail.com
Mon Oct 29 14:51:47 EDT 2007
On 10/29/2007 1:32 PM, Paul Wouters wrote:
> On Mon, 29 Oct 2007, Robert Eden wrote
>> If I'm in a private conversation with someone and user #1 logs off, #2
>> still thinks the conversation is private.
>>
>> If #2 sends a message, AIM Mobile sends "junk" to my cell phone, instead of
>> clear text.
>> If #1 logs on from another computer, the first message is lost, but then
>> OTR resyncs with the new private key. (new computer also has OTR).
>>
>> I think OTR should automatically "end-private-conversation" when a log off
>> message is received. What do others think?
>>
>
> A) Some logoffs hapen without sending a message (network disconnect)
> B) no clear text may ever flow if we expect crypted.
> C) there is no security on "log off" message, so an attacker could try
> and force you to disable crypto.
>
> The proper way to "log off" is to select "end private conversation", which
> does what you edpect it to do. I am unsure why this is not done when one
> actively sends a "log off" (go offline) with pidgin. Ian?
>
> Paul
>
Well, the disconnected side is already gone.. the problem is the side
that stays up. I can see the problem with faking a logoff message.
Does Pidgin provide that sort of thing separate from the message
stream? If it does, auto end-conversation would be a nice feature. If
it doesn't, I agree that it's not worth the security risk.
Robert
More information about the OTR-users
mailing list