[OTR-users] protecting the key

Greg Reagle reagle at cepr.net
Wed Nov 9 13:10:50 EST 2011 

Great answers!  Can this be added to the FAQs on the website?  I would suggest combining them into one entry with three sub-questions.

On 11/09/2011 12:51 PM, Daniel Perelman wrote:
> (1) Correct. The OTR plugin does not ask for a passphrase or anything
> on startup, so anyone who has your .purple folder can impersonate you.
> Then again, if you have password-saving enabled, then the .purple
> folder also contains the passwords for your IM account unencrypted. If
> you are worried about someone else accessing that information, you
> should encrypt your home directory (Ubuntu offers to do so on install,
> you can probably look up how to do so later).
> 
> (2) OTR guarantees "perfect forward secrecy" so having your secret
> keys does not allow an attacker to read your past conversations; it
> only allows them to impersonate you in the future and therefore
> theoretically intercept future conversations (actually intercepting
> IMs would require a powerful attacker, especially given that XMPP and
> AIM usually go over SSL). Naturally, if you discover that someone has
> managed to access your .purple folder, you should change all of your
> IM passwords and OTR private keys and notify anyone you use OTR with
> to invalidate your old keys and verify your new ones.
> 
> (3) I am not an OTR dev, but I believe the issues you discuss are
> outside of the scope of the OTR software.
> 
>   - Daniel
> 
> 
> On Wed, Nov 9, 2011 at 07:47, Greg Reagle <reagle at cepr.net> wrote:
>> Greetings and salutations.
>>
>> I have already searched http://www.cypherpunks.ca/otr/otr-codecon.pdf and
>> http://www.cypherpunks.ca/otr/index.php#faqs for the answer to my questions.
>>  If they are answered in some other document, please point me to it, and
>> excuse me.
>>
>> I am using:
>> $ COLUMNS=100 dpkg -l "*pidgin*" "*purple*"
>> ||/ Name                Version
>> +++-===================-===================-
>> ii  libpurple-bin       1:2.6.6-1ubuntu4.3
>> ii  libpurple0          1:2.6.6-1ubuntu4.3
>> ii  pidgin              1:2.6.6-1ubuntu4.3
>> ii  pidgin-data         1:2.6.6-1ubuntu4.3
>> ii  pidgin-libnotify    0.14-1ubuntu14
>> ii  pidgin-otr          3.2.0-5
>>
>> My private key appears to be stored on my filesystem
>> in~/.purple/otr.private_key, unencrypted.
>>
>> (1) Is my private key, in fact, stored unencrypted?
>> (2) If yes, I suppose this is a major security weakness.  What are the
>> security ramifications of this?
>> (3) Are there any plans to remedy?
>>
>> Thanks!
>>
>> --
>> Greg Reagle
>> System Administrator
>> Center for Economic and Policy Research
>> reagle at cepr.net
>> http://www.cepr.net/
>> _______________________________________________
>> OTR-users mailing list
>> OTR-users at lists.cypherpunks.ca
>> http://lists.cypherpunks.ca/mailman/listinfo/otr-users
>>


-- 
Greg Reagle
System Administrator
Center for Economic and Policy Research 
reagle at cepr.net
http://www.cepr.net/

More information about the OTR-users mailing list