On 06/06/2013 07:00 PM, Nadim Kobeissi wrote:
> Speaking as the lead developer for Cryptocat:
> OTR.js actually has had some vetting. We're keeping it experimental simply 
> due to the experimental nature of web cryptography as a whole. It's a handy 
> library that has had a lot of consideration put into it, but it really 
> depends on your use case and threat model. If you want to use it to keep 
> conversations private in moderate situations, go ahead. If you want to use it 
> to keep conversations private against an authoritarian regime/sprawling 
> surveillance mechanism, think twice. Overall I find it really hard to tell 
> whether it's safe enough without knowing your threat model. For example, if 
> your threat model includes a likelihood of someone backdooring your hardware, 
> pretty much nothing can help you.
> 
> If you're considering building your own app and using OTR.js as a library, I 
> beseech you to be careful regarding code delivery mechanisms and XSS 
> considerations. Specifically, please use signed browser plugins as a code 
> delivery mechanism and make sure the rest of your app, including outside of 
> OTR.js, is audited against XSS, code injection, and so on. Those kind of 
> threats tend to be far more common than library bugs.
> 
> NK

Thank you for the excellent feedback on OTR.js. It really clears some
stuff up and makes me much more confident in the library.

I'm considering using OTR.js as a basis for an OTR plugin for
Thunderbird chat. I suppose, in theory, people *could* decide to use it
in life and death situations under sprawling surveillance regimes, I'd
try to make it clear how unwise this is and provide alternatives. For
example, I'd point them to Pidgin with its OTR instead.

Thanks again!

Anthony


-- 
Anthony Papillion
Phone:   1.918.533.9699
SIP:     sip:[email protected]
iNum:    +883510008360912
XMPP:    [email protected]

www.cajuntechie.org
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at [email protected] or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Reply via email to