Hello, Some of you may know the OTR plugin for the weechat irc client. I'm happy to announce that the project pulled a patch of mine to have a more... healthy approach of OTR sessions logging.
https://github.com/mmb/weechat-otr This approach being: *not* logging OTR sessions. It has come to my attention that logs can actually be very harmful for both parties involved, even if only one of those does log, and that even encrypted logs are not safe in countries where you can be coerced into decrypting your volumes (either physically or judicially). Looking at the philosophy, or even the name of the "Off-the-record" protocol, it makes sense to me that what happens inside an OTR session is not meant to be logged. For any reason. The only reason why someone would want to record an OTR conversation would probably be either to harm someone else or as part of an unhealthy overall logging policy. For those reasons, I wrote the patch with two core ideas in mind: - Logging should be deactivated for the entire duration of the OTR session by *DEFAULT*, and the only way to re-activate it should be on a per-conversation basis, manually. I voluntarily refused to add an easy command to re-enabling the systematic logging of OTR conversations. Doing so is toxic to what OTR tries to achieve/provide, and most certainly only useful for malicious intents. I see no reason to write a single line of code to enable such dangerous behavior. - The logging deactivation should happen as soon as the OTR session starts, and prevent any output from OTR to appear in the logs. The entire OTR session should appear like it never happenned. There should only be a blank in the logs where the OTR session took place. I see no reason to keep track of when one had an OTR conversation with who. This information is only useful to attackers. I had to explain this philosophy to the upstream dev, but fortunately he understood and pulled the patch as-is. Now, This is all good news for weechat users but, realistically, I fear the weechat OTR plugin is really not very widely used. If at all (except for me and some friends). So, I'd like to open the discussion on what every other OTR implementation currently does in regard to logs, what should be done, if we should uniformise a specific behavior from now on when creating new plugins/implementations. So here is what I know: - weechat-otr now disables logs for the entire duration of the OTR session and restores the previous logging value after the OTR session is closed. this is by default. It can only be overridden within asingle OTR session with the /logger set command, and will be disabled again for the next OTR sessions. - irssi-otr has no such feature whatsoever. - pidgin-otr as a checkbox to disable logging of OTR conversations, but it's not checked by default. - Jitsi has no option to disable logging of OTR conversations, or even for a given covnersation (OTR or not) Logging is pretty rigid and binary in this one. - Gibberbot: ?? I think it doesn't log anything by default, not sure. Regarding irssi-otr, I hear irssi's logging management is a bit... rigid (one can't even configure it on a per-server basis, so per-buffer seems unlikely). I think it can be done, but it would probably require a lot of hacking, maybe even upstream patches/reworking? I really think something should be done on the matter however. Would anyone here be willing to a least write down the current limitations to work around and the difficulties involved? I think pidgin should enable the disabling of OTR logging by default. There really is no legitimate reason to log those. It's dangerous. Most pidgin users will probably not even encrypt logs, even less securely delete them when necessary, so defaulting to a healthy practice is probably a good idea and trivial to patch. Jitsi needs *at least* a button somewhere to allow for disabling the logging of a given conversation. As their OTR implementation is integrated, logging policy patches will probably be harder to be pulled upstream, but I'm sure they would understand... I'm more scared of how much work would be needed to allow such fine-tuning of the logging behavior as nothing indicates it was ever though as a possible usecase anywhere in the software. But then again, I really think it's necessary. I'm less comfortable with java development, though. So, what do you guys think? Did I miss something? do you think there are good reasons to log OTR conversations by default? I'm sure a lot of users will initially complain that they can't find some parts of their logs, anytime they enabled OTR, but we really should push for a more responsible philosophy on how one should manage its logs. Too much people log everything for YEARS without even thinking of the implications. Breaking their unhealthy habits may be the first step towards a global realization that logging everything *will* at some point hurt the people you interact with. It's not up to the OTR protocol to define logging policies, so we must make sure OTR implementations behave responsibly. -- Daniel ".koolfy" Faucon Tel: France : (+33)(0)658/993.700 PGP Fingerprint : 485E 7C63 8D29 F737 FEA2 8CD3 EA05 30E6 15BE 9FA5
signature.asc
Description: PGP signature
_______________________________________________ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
