[OTR-users] OTR mentioned in Snowden documents?
Mike Minor
mike at firstworldproblems.com
Fri Sep 6 12:40:47 EDT 2013
On Sep 6, 2013, at 7:59 AM, Nathan of Guardian <nathan at guardianproject.info> wrote:
> On 09/06/2013 09:37 AM, Mike Minor wrote:
>> If the NSA is claiming they can decrypt OTR, what possible attack vectors do the readers of this mailing list suppose could be viable targets? Our OS? Our RNG's? Our CPU's?
>
> Users not validating fingerprints? That makes MITM trivial.
>
> We definitely need to make that easier and required, possibly, in clients.
>
> +n
I'm assuming that MITM attacks, such as what you describe or using CA signing certs to do the same with TLS, is not what the recent disclosure is about.
This is about, from my understanding, mass decryption from fiber taps. I think we would notice if they were MITM'ing in a mass way.
I think there might be an inherent weakness in how OTR is implemented for the NSA to make such a claim in internal documents.
Bruce Schneier has read the documents in question and is now giving tips on 'how to be safe' in light of these new disclosures. I don't think he is saying anything we don't already know (don't trust closed source, don't trust NSA backed standards, etc).
I thought I might poke some discussion as to where the weaknesses might be in an OTR implementation where you are using the currently known best practices (verifying fingerprints, etc)
More information about the OTR-users
mailing list