Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Question about otr.js

Jurre andmore drwhax at gmail.com
Fri Jun 7 10:44:35 PDT 2013


Pidgin is a terrible client. It has quite a bit of issues. Their SSL
handling is terrible and possible to mitm, I audited the Windows build last
August and found known vulnerabilities since 2006 in 2012.. only recently
in february that the Pidgin team released a security update..

Avoid using Pidgin at all costs.

Over at https://useotrproject.org/ we are busy extending Adam langley's
xmpp-client in Go. Creating a security, privacy and aonimity client by
default.

We hope to have a beta before ohm2013.
Op 7 jun. 2013 19:19 schreef "Nadim Kobeissi" <nadim at nadim.cc> het volgende:

>
> On 2013-06-07, at 1:09 PM, Anthony Papillion <anthony at cajuntechie.org>
> wrote:
>
> > On 06/06/2013 07:00 PM, Nadim Kobeissi wrote:
> >> Speaking as the lead developer for Cryptocat:
> >> OTR.js actually has had some vetting. We're keeping it experimental
> simply due to the experimental nature of web cryptography as a whole. It's
> a handy library that has had a lot of consideration put into it, but it
> really depends on your use case and threat model. If you want to use it to
> keep conversations private in moderate situations, go ahead. If you want to
> use it to keep conversations private against an authoritarian
> regime/sprawling surveillance mechanism, think twice. Overall I find it
> really hard to tell whether it's safe enough without knowing your threat
> model. For example, if your threat model includes a likelihood of someone
> backdooring your hardware, pretty much nothing can help you.
> >>
> >> If you're considering building your own app and using OTR.js as a
> library, I beseech you to be careful regarding code delivery mechanisms and
> XSS considerations. Specifically, please use signed browser plugins as a
> code delivery mechanism and make sure the rest of your app, including
> outside of OTR.js, is audited against XSS, code injection, and so on. Those
> kind of threats tend to be far more common than library bugs.
> >>
> >> NK
> >
> > Thank you for the excellent feedback on OTR.js. It really clears some
> > stuff up and makes me much more confident in the library.
> >
> > I'm considering using OTR.js as a basis for an OTR plugin for
> > Thunderbird chat. I suppose, in theory, people *could* decide to use it
> > in life and death situations under sprawling surveillance regimes, I'd
> > try to make it clear how unwise this is and provide alternatives. For
> > example, I'd point them to Pidgin with its OTR instead.
>
> I would never suggest Pidgin — Pidgin has never received an audit and is
> full of vulnerabilities that the development team is reluctant to fix.
> Cryptocat has actually received far more audits than Pidgin, although I'm
> not sure how to compare the two since the platforms are totally different.
>
> NK
>
> >
> > Thanks again!
> >
> > Anthony
> >
> >
> > --
> > Anthony Papillion
> > Phone:   1.918.533.9699
> > SIP:     sip:cajuntechie at iptel.org
> > iNum:    +883510008360912
> > XMPP:    cypherpunk38 at jit.si
> >
> > www.cajuntechie.org
> > --
> > Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130607/146b1b58/attachment.html>


More information about the liberationtech mailing list