[OTR-users] Can't enable logging with 4.0.0
Jacob Appelbaum
jacob at appelbaum.net
Thu Sep 6 00:32:28 EDT 2012
Gregory Maxwell:
> On Wed, Sep 5, 2012 at 10:37 AM, Brian Morrison <bdm at fenrir.org.uk> wrote:
>> On Wed, 5 Sep 2012 09:12:53 -0500
>> Karen Trudeau <karen.trudeau at gmail.com> wrote:
>>
>>> Any suggestions?
>>
>> I don't know what the developers decided to do after a discussion
>> about this on the list a while ago, but for this new version with OTR
>> active you must override the default no logging policy on each and
>> every occasion you use it.
>
> I hope not, because the intuitive fix to thos is to not use OTR which
> is a clear regression.
It's a bug. Logging being off by default isn't a bug though - it's to
ensure that a user turns on logging if they want it and if they didn't
want it, they won't accidentally shoot themselves in the foot.
>> Having a log makes you vulnerable to seizure and search in
>> jurisdictions that allow it, the point of OTR is to make conversations
>> deniable and having them logged in plain text defeats that deniability
>> instantly.
>
> Hogwash. OTR avoids cryptographically non-reputable authentication.
> But nothing can stop something from logging the traffic/cryptographic
> keys/ removing this misfeature (hopefully bug). A log on disk is as
> reputable as any other plaintext, which is the goal.
>
Two logs that are identical, one produced on purpose and the other on
accident is probably going to present a problem. So the goal isn't to
pretend we can stop jerks from being jerks. The goal of not logging by
default is to prevent pidgin-otr from adding to the problem.
> I ca n see value it having some mode for cooperating clients to signal
> logging or coordinate disabling it. But if it makes it so people
> can't comfortably use OTR by default on every conversation without
> inconvenience even "when they have noting to hide" it's a major
> security/safety regression.
It seems to me that signaling that users are logging would be a nice
addition - if you violate my privacy by logging me, I'd like to know;
that is far from perfect but surely it would create some interesting
social discussions!
All the best,
Jake
More information about the OTR-users
mailing list