[OTR-users] List of OTR-aware software

Brian Morrison bdm at fenrir.org.uk
Wed Jun 25 12:18:11 EDT 2008 

db wrote:
> On Wed, Jun 25, 2008 at 5:14 PM, Brian Morrison <bdm at fenrir.org.uk> wrote:
> 
>> If you are using OTR, you should not be keeping any logs.
> 
> But that does not prevent the other party from keeping clear text logs.

Then you need to be more careful about the people with whom you have OTR
chats!

> 
>> The point is
>> plausible deniability.
> 
> Which you OTR does not provide if the other party keep logs.

See above....

> 
> 
>> Everyone should take all possible steps to protect their private
>> conversations, privacy is the root of a civilized society, no one else
>> has any rights to know what I am talking about with anyone else. That
>> especially includes governments and their agents, just because they can
>> monitor electronic communication does not mean that it should be any
>> easier for them than recording and transcribing ever voice conversation
>> taking place in the entire country.
> 
> Yes, and that is what e.g., SSL offers. After using SSL (or PGP or
> similar) to secure the communication it is up to you to keep/delete
> the logs. SSL+no logs provides basically the same level of deniability
> as OTR, that is - the level of deniability depends on the other party
> keeping clear text logs or not.

OTR provides authentication between people that know each other in a way
that SSL does not and perhaps cannot. You never know whether your CA
providers have been subverted (after all they are corporations and so
have to do what governments and LEAs tell them to) and that a MITM
attack is being run.

Always think about ensuring further encryption above and beyond SSL when
you can.

VPNs are good as they can hide all the headers and other information
inside the tunnel. Try to find exit points in jurisdictions where the
state has included strong legal protections against arbitrary
interception without warrant.


> 
>>> In my case OTR even caused a lot of headache since most of my chat
>>> logs are trivial and I like to store them in my gmail account. Now I
>>> just have a lot of encrypted logs I never will be able to decode =
>>> phone numbers to friend's friends, e-mail addresses etc are lost
>>> forever.
>> Then don't store these important pieces of information in these logs
>> that you should not be keeping anyway, extract it and save it
>> separately. But remember that it might be incriminating in itself.
> 
> I find it really funny that you recommend me to not keeps logs. I
> guess you immediately delete all e-mailsyou receive, burn all paper
> invoices (although the actual payment probably is traceable anyway),
> delete all browser cookies regularly etc. I on the other hand like to
> keep documentation (agreements, phone bills, personal letters) of some
> events for future reference.

I do pretty much what you suggest, where sensible and practical. I don't
keep extraneous crap (my house isn't big enough), and I try to ensure
that anything remotely contentious is in my head and leaves as few
traces as possible on my PCs.

> 
>> I'm very puzzled as to why you're using OTR, it appears to not do what
>> you want at all.
> 
> I don't use it any more, but I have subscribed to this mailing list
> for some time to find out a reason to start use it but the more I
> read, the more useless I consider it. I will probably start blocking
> people trying to use OTR with me in the near future since I see no
> reason for friends or people I work with to desire "deniability" about
> what they have written to me. If my manager would ask me to do
> something and then be able to deny that he sent me such a message - I
> can only see disadvantages with that situation.

I doubt I would use it for what you are suggesting, but if I'm chatting
with friends during work hours (at a low rate) then I don't for one
minute believe that the company Jabber server logs don't contain all I
have written so with some people I talk to I have OTR to keep things
private.

Am I paranoid? I don't think so, you can see the abuses cooked up by our
insane politicians and policemen in the news every day of the week,
don't let them delude you into thinking that spying on people in any way
enhances our safety in exchange for freedom. It doesn't, your best
defence of your freedom is to refuse to be conned and accept that a
madman may kill a few people but that is insignificant in comparison
with the danger posed by other things we accept without question.

If we all encrypted anything, then the incompetents would have to work a
lot harder to wreck what so many fought and died for in the past.

-- 

Brian

More information about the OTR-users mailing list