Il 28/06/2012 02:23, Ian Goldberg ha scritto: > On Wed, Jun 27, 2012 at 01:48:05PM -0700, Chris Ballinger wrote: >> I don't know enough about browser security to comment on that >> weakness but I would assume that under regular circumstances (no >> SSL MITM) no text is sent between your browser and Google until >> you hit send. I really would like to get more regular people >> using OTR but it seems like the main problem at this point seems >> to be changing people's habits. > > No, the issue is that the javascript *on the GTalk page* might be > intercepting your typing and doing whatever with it (including > sending it back to Google). Much in the same way that the Google > search bar "autocompletes" today by sending each keystroke back to > Google.
No, if the typing is in a separate iframe (with a different domain origin) gtalk page (or someone tampering gtalk page) can't intercept your type. By the way someone can't tamper the page to present a layout of the page that is very similar to the one of the add-on, this way can "fish" you to type in a iframe that isn't the one of the add-on. By the way if you add a unique image (maybe derived one-way from your secret key) you can always verified that you are typing on the right iframe (this image never go on the net). G. _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
