[OTR-users] OTR mentioned in Snowden documents?
Nathan of Guardian
nathan at guardianproject.info
Fri Sep 6 13:02:56 EDT 2013
On 09/06/2013 12:40 PM, Mike Minor wrote:
> I thought I might poke some discussion as to where the weaknesses might be in an OTR implementation where you are using the currently known best practices (verifying fingerprints, etc)
Excellent point, and true that if there were mass MITM on OTR sessions,
those of us who do verify would notice.
One fear I have had has been around OTR4J (which we use in Gibberbot,
and others like Jitsi do as well) and our dependency on BouncyCastle
libraries, and Java, as well for that.
With the recent weakness found in the Android PRNG, I fear there may be
other "oops" bugs, either intentional or not, somewhere in that stack.
+n
More information about the OTR-users
mailing list