Nikola Kotur: > On Sun, 30 Jun 2013 02:25:54 -0500 > Anthony Papillion <[email protected]> wrote: > >> what exactly is the problem with Pidgin OTR > > This page summarizes what might be wrong with Pidgin and OTR: > > https://micahflee.com/2013/02/using-gajim-instead-of-pidgin-for-more-secure-otr-chat/ > > In short: Pidgin uses libotr, which is riddled with bugs, and *might* > have vulnerabilities that can be used to render your privacy useless. > And the only thing worst than no privacy is illusion of privacy. >
As one of the people currently working libotr, I'd like to as you to reload that page and note the footnote: "Update: After talking to some people it appears that libotr isn’t as bug-ridden as the other libraries that Pidgin depends on, libpurple and libxml2. I’m still glad there’s a native python implementation of OTR though." I've audited libotr, pidgin-otr, and I've also audited gajim - I've found bugs in each - though nothing as serious as the bugs I've found in gajim. It has potential to be great software and because it is written in python, I tend to think it might be in better shape. I agree that pidgin has issues - I've spent quite a lot of time looking for them, finding them, and disclosing them - I'm far far from the only one: https://developer.pidgin.im/wiki/ChangeLog It seems to me that we should want diversity in chat clients - something that using pidgin, jitsi, xmpp-client, adium, gajim and others will bring us. We want the diversity not just in terms of names but also in terms of libraries. We also need security in the bootstrapping process - try to download pidgin or adium over HTTPS - I guess you'll find it difficult. Jitsi on the other hand deployed HTTPS when I suggested it it to them. I've had piss poor luck with getting Ian to deploy HTTPS for the pidgin-otr plugin website - much to my frustration. gajim had (or has?) the same problem with their plugin loading over the internet code. I'm hoping to solve this by having pidgin-otr as a shipping part of pidgin proper in the 3.0 release. I have commit bit, I just need to sit down and add pidgin-otr to the source tree without losing commit history between git and hg. We need secure defaults too - adium for example refuses to disable logging by default, even when the user is using OTR: https://trac.adium.im/ticket/15722 Very few of these chat clients have proper SSL/TLS support - even if they do enable TLS by default, some of them have very very crappy certificate verification or validation code. So given the above - absolutely all the chat clients have different issues of varying severity. If passive surveillance is a concern, it seems that OTR is a key feature - if getting OTR is difficult, I think it signals that OTR should be built into the chat program. Jitsi and adium do this well - only Jitsi is available over HTTPS for download. Though it is possible to use brew to install adium in what seems to be a more secure fashion. The wonderful folks over at RiseUp! wrote the following page long ago - some of it is probably still reasonably correct: https://www.riseup.net/en/chat-clients I hope the above is useful - please do consider that libotr is not pidgin, even if we do one day ship with pidgin releases. The rest of the pidgin code needs a lot of love - so please consider putting in some time to find very specific problems, so we might improve things. All the best, Jacob -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
