[OTR-users] Pidgin-OTR Logging Behaviour

Gregory Maxwell gmaxwell at gmail.com
Wed Feb 1 11:34:33 EST 2012 

On Wed, Feb 1, 2012 at 10:57 AM, Rob Smits <rdfsmits at cs.uwaterloo.ca> wrote:
> -When an OTR conversation starts, explicitly ask the user whether they wish
> to log OTR conversations (if no Pidgin-OTR logging preference is found), and
> perhaps output the above message. Once the user provides an answer, future
> OTR conversations will not trigger this prompt.

Please no!

It's very important that OTR be as transparent and painless as
possible.  For almost everyone risk of attack is very low— if you make
OTR at all annoying the rational behavior for the user will be to
_disable it_, denying protection to both them and their chat partners.
(and because an eavesdropper is invisible people often underestimate
the risk in any case)

It's also important to not send a confusing message— so you'd give a
scary this is being logged warning when OTR is in use, but not
otherwise?  That would be misleading.

There should be a smooth security graduation that maps to users effort
and paranoia.  By default everything should be ephemerally encrypted
because we can do that at _no_ cost to the user.  Then if the user has
do enough to enable authentication, everything should be reputably
authenticated... and so on.

Logging is greatly valuable to me and my threat models don't place it
at all on my priority list. I'm concerned with mass surveillance,
automated analysis, data collection, etc. Someone who has my disk (and
its decryption keys) or my chat-partners has already "won".  I
understand needs differ— but I'll be keeping logging on unless my
friends ask for it off.

Could there potentially be another axis added to the private /
not-private  authenticated/not-authenicated   to give
logging/not-logging  and to communicate that over the channel?  And
allow either party to request logging be disable by hitting that
button?

I think it's okay that the logging status could be cheated by a
deceptive chat partner. They could be recording the screen or whatever
too.

Long in the past I'd proposed (on the OTR list, IIRC) that there be a
feature where the logs are encrypted with a secret which is shared by
both parties to the conversation... so then you could only read your
logs if your partner was online.  If you believed your partner became
compromised you'd hit some button and destroy your half of the key.
Didn't seem anyone thought the idea was too exciting, and it's not the
sort of feature that would be worth writing for your personal use.

More information about the OTR-users mailing list