[OTR-users] protecting the key

Daniel Perelman dap56 at cornell.edu
Wed Nov 9 12:51:17 EST 2011 

(1) Correct. The OTR plugin does not ask for a passphrase or anything
on startup, so anyone who has your .purple folder can impersonate you.
Then again, if you have password-saving enabled, then the .purple
folder also contains the passwords for your IM account unencrypted. If
you are worried about someone else accessing that information, you
should encrypt your home directory (Ubuntu offers to do so on install,
you can probably look up how to do so later).

(2) OTR guarantees "perfect forward secrecy" so having your secret
keys does not allow an attacker to read your past conversations; it
only allows them to impersonate you in the future and therefore
theoretically intercept future conversations (actually intercepting
IMs would require a powerful attacker, especially given that XMPP and
AIM usually go over SSL). Naturally, if you discover that someone has
managed to access your .purple folder, you should change all of your
IM passwords and OTR private keys and notify anyone you use OTR with
to invalidate your old keys and verify your new ones.

(3) I am not an OTR dev, but I believe the issues you discuss are
outside of the scope of the OTR software.

  - Daniel


On Wed, Nov 9, 2011 at 07:47, Greg Reagle <reagle at cepr.net> wrote:
> Greetings and salutations.
>
> I have already searched http://www.cypherpunks.ca/otr/otr-codecon.pdf and
> http://www.cypherpunks.ca/otr/index.php#faqs for the answer to my questions.
>  If they are answered in some other document, please point me to it, and
> excuse me.
>
> I am using:
> $ COLUMNS=100 dpkg -l "*pidgin*" "*purple*"
> ||/ Name                Version
> +++-===================-===================-
> ii  libpurple-bin       1:2.6.6-1ubuntu4.3
> ii  libpurple0          1:2.6.6-1ubuntu4.3
> ii  pidgin              1:2.6.6-1ubuntu4.3
> ii  pidgin-data         1:2.6.6-1ubuntu4.3
> ii  pidgin-libnotify    0.14-1ubuntu14
> ii  pidgin-otr          3.2.0-5
>
> My private key appears to be stored on my filesystem
> in~/.purple/otr.private_key, unencrypted.
>
> (1) Is my private key, in fact, stored unencrypted?
> (2) If yes, I suppose this is a major security weakness.  What are the
> security ramifications of this?
> (3) Are there any plans to remedy?
>
> Thanks!
>
> --
> Greg Reagle
> System Administrator
> Center for Economic and Policy Research
> reagle at cepr.net
> http://www.cepr.net/
> _______________________________________________
> OTR-users mailing list
> OTR-users at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-users
>

More information about the OTR-users mailing list