On Wed, 2011-06-08 at 22:24 +0000, Moritz Naumann wrote: > On 08.06.2011 17:23 Ted wrote: > > I'm removing the classification as a security vulnerability, because the > > expected behavior currently for OTR sessions is that they'll be either > > manually initiated or automatically initiated once a client detects that > > a chat partner is also OTR-capable. > > > > This is a feature request, but one that I doubt will be implemented on > > any client, since OTR is all in-band, and it would require sending a > > message that non-OTR'd clients would see bare. > > > > ** Changed in: libotr (Ubuntu) > > Status: New => Confirmed > > > > ** This bug is no longer flagged as a security vulnerability > > > > Thanks for your comment, Ted. I assume I may not have properly explained > this, though, which may have caused a misunderstanding on the impact of > this issue. > > It is not just the first message ever sent to a person which goes > unencrypted, but the first message every new day you send to someone > whom you have defined you only want to exchange encrypted messages with. > So even when both sides did the key exchange and are set to encrypt, the > first message a pidgin-otr user sends on any new day (or after an IP > address change or ... I'm not sure what exactly the trigger is) still > goes over the wire unencrypted, with no warnig given to the sending user. > > I hope this explanation is better. So I wonder: > > Is this how you understood my report in the first place? > > Do you not think this is a security vulnerability then? > > Thanks, > > Moritz >
This isn't a security vulnerability; this is by design. Without an OTR session already being in place, the sender has no way of knowing whether their peer supports OTR. As such, pidgin-otr won't try to set up an OTR session before the first message is sent. If the sending user wants to try to set up an OTR session manually before a message is sent, they can do that -- the software won't make that decision, because it'll send an ugly message to peers that don't have OTR. OTR sessions are not designed to be permanent, and in fact are more secure if they aren't. If you and someone want to always talk over OTR, always manually initiate OTR sessions before talking. It would be nice to have a configuration option to try to set up OTR sessions before the first message is actually sent, for people who aren't conservative about what they send, and that would solve this bug, so this is really a feature request. I've confirmed it, and eventually someone who has the permission to do so should mark this as wishlist. You should also submit this report upstream -- I don't know if the pidgin-otr maintainer reads this bug tracker. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/794453 Title: First message is sent unencrypted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/794453/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
