Search Mailing List Archives
[liberationtech] Question about otr.js
anthony at cajuntechie.org
Fri Jun 7 10:09:41 PDT 2013
On 06/06/2013 07:00 PM, Nadim Kobeissi wrote:
> Speaking as the lead developer for Cryptocat:
> OTR.js actually has had some vetting. We're keeping it experimental simply due to the experimental nature of web cryptography as a whole. It's a handy library that has had a lot of consideration put into it, but it really depends on your use case and threat model. If you want to use it to keep conversations private in moderate situations, go ahead. If you want to use it to keep conversations private against an authoritarian regime/sprawling surveillance mechanism, think twice. Overall I find it really hard to tell whether it's safe enough without knowing your threat model. For example, if your threat model includes a likelihood of someone backdooring your hardware, pretty much nothing can help you.
> If you're considering building your own app and using OTR.js as a library, I beseech you to be careful regarding code delivery mechanisms and XSS considerations. Specifically, please use signed browser plugins as a code delivery mechanism and make sure the rest of your app, including outside of OTR.js, is audited against XSS, code injection, and so on. Those kind of threats tend to be far more common than library bugs.
Thank you for the excellent feedback on OTR.js. It really clears some
stuff up and makes me much more confident in the library.
I'm considering using OTR.js as a basis for an OTR plugin for
Thunderbird chat. I suppose, in theory, people *could* decide to use it
in life and death situations under sprawling surveillance regimes, I'd
try to make it clear how unwise this is and provide alternatives. For
example, I'd point them to Pidgin with its OTR instead.
SIP: sip:cajuntechie at iptel.org
XMPP: cypherpunk38 at jit.si
More information about the liberationtech