[OTR-users] OTR for audio/speech

Ian Goldberg ian at cypherpunks.ca
Thu Apr 19 19:01:44 EDT 2012


On Thu, Apr 19, 2012 at 03:20:43PM -0600, Peter Saint-Andre wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 4/19/12 3:09 PM, Greg Reagle wrote:
> > On Thu, Apr 19, 2012, at 02:48 PM, Peter Saint-Andre wrote:
> >> On 4/19/12 2:39 PM, Greg Reagle wrote:
> >>> Thanks Peter.  Does this lack of full stanza encryption affect
> >>> all OTR use (including instant messaging), or just OTR use for 
> >>> audio/video?
> >> 
> >> If all you do is send unformatted messages, then OTR is fine. If
> >> you do things like send an HTML-formatted message in addition to
> >> the plain text (see <http://xmpp.org/extensions/xep-0071.html>)
> >> then that added information might not be encrypted. That's true
> >> for a message subject 
> >> <http://tools.ietf.org/html/rfc6121#section-5.2.4> too and any 
> >> anything other than what in Jabber/XMPP is the <body/> element of
> >> the <message/> "stanza". Because XMPP is extensible, the fact
> >> that OTR encrypts only that <body/> element has worried us
> >> Jabberites for a while and has led XMPP developers to keep
> >> inventing new approaches to end-to-end encryption, none of which
> >> has really taken off. :(
> > 
> > What?!  I am shocked and dismayed.  Is this really true?  Would
> > putting a word in bold defeat OTR?  This would be a MAJOR defect.
> > Why doesn't the OTR web page indicate this?
> 
> OTR does fine with this:
> 
> <message>
>   <body>hi!</body>
> </message>
> 
> That's because it encrypts what goes between the opening <body> tag
> and the closing </body> tag. This is fine for AIM, MSN, Yahoo, ICQ,
> and all those other systems because they don't support anything but
> very simple messages.
> 
> However, as far as I understand it, the simple nature of OTR might
> cause problems with sending XMPP stanzas like this:
> 
> <message>
>   <body>hi!</body>
>   <html xmlns='http://jabber.org/protocol/xhtml-im'>
>     <body xmlns='http://www.w3.org/1999/xhtml'>
>       <p style='font-weight:bold'>hi!</p>
>     </body>
>   </html>
> </message>

OTR, at least pidgin-otr, works fine with this.  You just end up with an
encryption of:

     <body xmlns='http://www.w3.org/1999/xhtml'>
       <p style='font-weight:bold'>hi!</p>
     </body>

[I think it is.]

OTR does not natively support voice.  It's hard to pin down exactly what
deniability would mean there.  ZTRP is indeed a good option if you want
encryption/authentication.
-- 
Ian Goldberg
Associate Professor
Cheriton School of Computer Science
University of Waterloo



More information about the OTR-users mailing list