On 08.06.2011 17:23 Ted wrote: > I'm removing the classification as a security vulnerability, because the > expected behavior currently for OTR sessions is that they'll be either > manually initiated or automatically initiated once a client detects that > a chat partner is also OTR-capable. > > This is a feature request, but one that I doubt will be implemented on > any client, since OTR is all in-band, and it would require sending a > message that non-OTR'd clients would see bare. > > ** Changed in: libotr (Ubuntu) > Status: New => Confirmed > > ** This bug is no longer flagged as a security vulnerability >
Thanks for your comment, Ted. I assume I may not have properly explained this, though, which may have caused a misunderstanding on the impact of this issue. It is not just the first message ever sent to a person which goes unencrypted, but the first message every new day you send to someone whom you have defined you only want to exchange encrypted messages with. So even when both sides did the key exchange and are set to encrypt, the first message a pidgin-otr user sends on any new day (or after an IP address change or ... I'm not sure what exactly the trigger is) still goes over the wire unencrypted, with no warnig given to the sending user. I hope this explanation is better. So I wonder: Is this how you understood my report in the first place? Do you not think this is a security vulnerability then? Thanks, Moritz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/794453 Title: First message is sent unencrypted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/794453/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
