Micah Lee: > I just wrote a blog post that people here might find interesting about > using Gajim, a chat client written in python, and Gajim's OTR plugin, a > purely python implementation of the OTR standard, instead of Pidgin and > libotr. > > https://micahflee.com/2013/02/using-gajim-instead-of-pidgin-for-more-secure-otr-chat/ > > Also, I wrote a script called pidgin2gajim that takes the OTR keys from > Pidgin and reformats them to work in Gajim, so you can keep your old > Pidgin key. > > https://github.com/micahflee/pidgin2gajim
A few people, myself included, had an audit (drinking) game with gajim a while back - they were quite responsive. There were a number of rather insecure design issues that I would strongly caution rechecking - one of them was that the Python OTR module was not included in the default Gajim release. If I remember correctly, one had to download it and install it from within a plugin wizard of sorts over http: https://trac.gajim.org/ticket/7024 I think they fixed that by adding HTTPS - in python - which well, hrm. Looks like a fun thing to follow up on, eh? I think their HTTPS code is here: http://hg.gajim.org/gajim/file/47df356614cc/src/common/check_X509.py They wrote some DH code here: http://hg.gajim.org/gajim/file/47df356614cc/src/common/dh.py Other bugs for OTR are interesting to read: https://trac.gajim.org/ticket/7025 https://trac.gajim.org/ticket/7030 Here are a few other bugs I reported including remote code execution issues: https://trac.gajim.org/query?status=assigned&status=closed&status=needinfo&status=new&status=reopened&reporter=ioerror&order=priority A friend's bug reports: https://trac.gajim.org/query?status=assigned&status=closed&status=needinfo&status=new&status=reopened&reporter=buymebeer&order=priority A few days ago, I also managed to remotely crash a friend using the most recent Gajim in an OTR session. His Gajim client sent me this in response: <message to="me" type="chat" id="30" from="myfriend/Gajim"> <body>18:37:16 (E) gajim.c.ged Error while running an even handler: <bound method OtrPlugin.handle_incoming_msg o f <gotr.otrmodule.OtrPlugin object at 0x1845750>>Traceback (most recent call last): File "/usr/share/gajim/src/common/ged.py", line 91, in raise_event if handler( *args, **kwargs): File "/home/user/.local/share/gajim/plugins/gotr/otrmodule.py", line 521, in handle_incoming_msg appdata={'session':event.session}) File "/home/user/.lo cal/share/gajim/plugins/gotr/potr/context.py", line 219, in receiveMessage plaintext, tlvs = self.crypto.handleDataMessage(message) File "/home/user/.local/share/gajim/plugins/gotr/potr/crypt.py", line 195, in handleDataMessage tlvs = proto.TLV.parse(tlvData) File "/home/user/.local/share/gajim/plugins/gotr/potr/proto.py", line 318, in parse return [tlvClasses[typ].parsePayload(data[:length])] \KeyError: 0 </body><thread>xxxx</thread><nos:x value="enabled" xmlns:nos="google:nosave"/><arc:record otr="true" xmlns:arc="http://jabber.org/protocol/archive"/></message> I didn't report it and I'm not sure if my friend did either. I'd guess not. I think this was the message that I sent to my friend that caused the above stack trace to be sent over jabber to me: <message to='myfriend' from='me' type='chat'><body>?OTR:AAIDAAAAAAUAAAACAAAAwKAOQK5DZercq54LCaVQaSzz23rYwDrTXyUMaaSjUUXo435D8p4kg9e8WJ/o XxRgXt7DzFqRhckMSchtiKn3Z18crsO+KVwmlmDBzAk4mW0PL3SSbEeVCnNuixySOXbBWtohxqxwc/3yBsm2ki0Sac8fvdJfw3f5UdYBCJezM4gVEfe2UEyDyenT3TMT5TOpAtu7TVh6IgKjy0hvYsTpYKbhD6t/IojJKu55eK20QZN qRYoYV+c5SS17mVWy8OvBWgAAAAAAAAAHAAABALaP77xkbaBybuXXtaoMU2mA0m3LIgHAKLhI8/bPtsyv+CUlnZZoqoLdlp67icTFvzUeUU3jFW/RSAa63d5mnzvb21zmhydE2i/U3hvwCyP6OHthfV8/PkBP/uq8bWfHEqJ/8yyWRM VS/1L7uauQdDBXuORV0iYQnRBxkwVmIV5KfqKlUR0KEYza3urw5wdsOqOSIU0W9fa5ksZBDyuZxvG6d9NSJa7FRnN7aqpAzxDWGfWTg5FLSCQFMd22BxXOsS4UalkYQVxAmfLAYpv8Nw0Dw4PZfLDObpvXBx89g9nuenOAZWGtCsm24 u6xFNIHQGdxYSd93zhZV1kU7gsdcK051Lgx2h1EYbEHP2hKZxGk4AEwlgAAAAA=.</body><nos:x xmlns:nos='google:nosave' value='enabled'/><arc:record xmlns:arc='http://jabber.org/protocol/archive' otr='require'/></message> Anyway, Gajim isn't free of issues and the OTR plugin is written in Python. That may be good news but I admit, I haven't seen if there are any test vectors that compare all of the functionality. At one point the potr library author had considered unit testing their inputs/outputs against the expected libotr inputs/outputs. I'm not sure if that happened. They are at least Tor (support) friendly which is nice of them: https://trac.gajim.org/ticket/7026 All the best, Jake -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
