Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Current state of Pidgin OTR vs Jitsi OTR

Jacob Appelbaum jacob at
Mon Jul 1 07:03:09 PDT 2013

Nikola Kotur:
> On Sun, 30 Jun 2013 02:25:54 -0500
> Anthony Papillion <anthony at> wrote:
>> what exactly is the problem with Pidgin OTR
> This page summarizes what might be wrong with Pidgin and OTR:
> In short: Pidgin uses libotr, which is riddled with bugs, and *might*
> have vulnerabilities that can be used to render your privacy useless.
> And the only thing worst than no privacy is illusion of privacy.

As one of the people currently working libotr, I'd like to as you to
reload that page and note the footnote:

"Update: After talking to some people it appears that libotr isn’t as
bug-ridden as the other libraries that Pidgin depends on, libpurple and
libxml2. I’m still glad there’s a native python implementation of OTR

I've audited libotr, pidgin-otr, and I've also audited gajim - I've
found bugs in each - though nothing as serious as the bugs I've found in
gajim. It has potential to be great software and because it is written
in python, I tend to think it might be in better shape.

I agree that pidgin has issues - I've spent quite a lot of time looking
for them, finding them, and disclosing them - I'm far far from the only one:

It seems to me that we should want diversity in chat clients - something
that using pidgin, jitsi, xmpp-client, adium, gajim and others will
bring us. We want the diversity not just in terms of names but also in
terms of libraries.

We also need security in the bootstrapping process - try to download
pidgin or adium over HTTPS - I guess you'll find it difficult. Jitsi on
the other hand deployed HTTPS when I suggested it it to them. I've had
piss poor luck with getting Ian to deploy HTTPS for the pidgin-otr
plugin website - much to my frustration. gajim had (or has?) the same
problem with their plugin loading over the internet code. I'm hoping to
solve this by having pidgin-otr as a shipping part of pidgin proper in
the 3.0 release. I have commit bit, I just need to sit down and add
pidgin-otr to the source tree without losing commit history between git
and hg.

We need secure defaults too - adium for example refuses to disable
logging by default, even when the user is using OTR:

Very few of these chat clients have proper SSL/TLS support - even if
they do enable TLS by default, some of them have very very crappy
certificate verification or validation code.

So given the above - absolutely all the chat clients have different
issues of varying severity. If passive surveillance is a concern, it
seems that OTR is a key feature - if getting OTR is difficult, I think
it signals that OTR should be built into the chat program. Jitsi and
adium do this well - only Jitsi is available over HTTPS for download.
Though it is possible to use brew to install adium in what seems to be a
more secure fashion.

The wonderful folks over at RiseUp! wrote the following page long ago -
some of it is probably still reasonably correct:

I hope the above is useful - please do consider that libotr is not
pidgin, even if we do one day ship with pidgin releases. The rest of the
pidgin code needs a lot of love - so please consider putting in some
time to find very specific problems, so we might improve things.

All the best,

More information about the liberationtech mailing list