[OTR-users] OTR mentioned in Snowden documents?

Viktor Stanchev me at viktorstanchev.com
Fri Sep 6 11:51:08 EDT 2013


When using cryptocat I often find myself validating the fingerprint using another channel, for example Facebook over https, thinking it's non trivial for a man in the middle attack to work or that no one cares what I'm saying anyway. If that channel is compromised an attacker can make sure that the fingerprints sent are altered for both users and it wouldn't be suspicious at all. This lets them conduct a man in the middle attack. Maybe the NSA automated this process for all insecure channels. 

-Viktor 

Nathan of Guardian <nathan at guardianproject.info> wrote:
>On 09/06/2013 09:37 AM, Mike Minor wrote:
>> If the NSA is claiming they can decrypt OTR, what possible attack
>vectors do the readers of this mailing list suppose could be viable
>targets?  Our OS? Our RNG's? Our CPU's?
>
>Users not validating fingerprints? That makes MITM trivial.
>
>We definitely need to make that easier and required, possibly, in
>clients.
>
>+n
>
>
>
>
>_______________________________________________
>OTR-users mailing list
>OTR-users at lists.cypherpunks.ca
>http://lists.cypherpunks.ca/mailman/listinfo/otr-users

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20130906/95a2fcfe/attachment.html>


More information about the OTR-users mailing list