[OTR-users] pidgin OTR leaks presence information to unauthorized people
nilclass at riseup.net
nilclass at riseup.net
Fri Dec 16 09:33:41 EST 2011
Hi,
Assume this situation:
Alice and Bob both have an OTR enabled client.
Alice has not approved that Bob may see her presence.
They are both online.
Bob starts a OTR conversation with Alice, sending some junk or whatever.
Now if this weren't a OTR message, there would be no feedback from Alice,
so no way for Bob to figure out whether Alice is currently online.
With OTR enabled, Alice' client automatically performs the OTR handshake,
which tells Bob that Alice is:
1) using a OTR enabled client
2) is currently online
A possible solution would be not to filter messages through
otrl_message_sending/otrl_message_receiving, unless the peer either has a
valid presence subscription or Alice has manually requested/approved the
OTR conversation or Alice has already participated in the conversation.
'()
More information about the OTR-users
mailing list