[OTR-users] OTR for audio/speech

Peter Saint-Andre stpeter at stpeter.im
Thu Apr 19 17:20:43 EDT 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/19/12 3:09 PM, Greg Reagle wrote:
> On Thu, Apr 19, 2012, at 02:48 PM, Peter Saint-Andre wrote:
>> On 4/19/12 2:39 PM, Greg Reagle wrote:
>>> Thanks Peter.  Does this lack of full stanza encryption affect
>>> all OTR use (including instant messaging), or just OTR use for 
>>> audio/video?
>> 
>> If all you do is send unformatted messages, then OTR is fine. If
>> you do things like send an HTML-formatted message in addition to
>> the plain text (see <http://xmpp.org/extensions/xep-0071.html>)
>> then that added information might not be encrypted. That's true
>> for a message subject 
>> <http://tools.ietf.org/html/rfc6121#section-5.2.4> too and any 
>> anything other than what in Jabber/XMPP is the <body/> element of
>> the <message/> "stanza". Because XMPP is extensible, the fact
>> that OTR encrypts only that <body/> element has worried us
>> Jabberites for a while and has led XMPP developers to keep
>> inventing new approaches to end-to-end encryption, none of which
>> has really taken off. :(
> 
> What?!  I am shocked and dismayed.  Is this really true?  Would
> putting a word in bold defeat OTR?  This would be a MAJOR defect.
> Why doesn't the OTR web page indicate this?

OTR does fine with this:

<message>
  <body>hi!</body>
</message>

That's because it encrypts what goes between the opening <body> tag
and the closing </body> tag. This is fine for AIM, MSN, Yahoo, ICQ,
and all those other systems because they don't support anything but
very simple messages.

However, as far as I understand it, the simple nature of OTR might
cause problems with sending XMPP stanzas like this:

<message>
  <body>hi!</body>
  <html xmlns='http://jabber.org/protocol/xhtml-im'>
    <body xmlns='http://www.w3.org/1999/xhtml'>
      <p style='font-weight:bold'>hi!</p>
    </body>
  </html>
</message>

Not to mention things like the much more complex stanzas used to
negotiate a voice and video session:

http://xmpp.org/extensions/xep-0167.html#example-1

However, I'd love to be corrected on this score...

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+QgasACgkQNL8k5A2w/vyTdQCgjBch3lE5wJLiD9K4emARd43N
RlMAn3a14XVK+8Czne+XWaG8pCGGWf0k
=HXcS
-----END PGP SIGNATURE-----

More information about the OTR-users mailing list