Hi everyone, Someone on the irssi-otr tracker opened a bug a while back and by looking at it more in depth it might be a libotr "issue".
https://github.com/cryptodotis/irssi-otr/issues/23 In a nutshell, two parties (Alice and Bob) are in a *trusted* OTR session over IRC. Alice sends a message to Bob. "I have a leak..." Just after that a "General Error" (OTRL_MSGEVENT_RCVDMSG_GENERAL_ERR) is received by Alice stating this (irssi OTR example): 06:37 OTR: General Error: Please type ?OTR? now... Alice has *no* idea where this is coming from because *anyone* can trigger that by sending a PRIVMSG to Alice simply by being identified with Bob's nickname. PRIVMSG <nick> <message> Irssi otr prints the "<message>" in the console thus "Please type ?OTR? now..." is the message sent in the above PRIVMSG. I've checked, Pidgin-otr does the same. Alice reads that error and of course thinks that libotr is telling her that a genuine error happened and that she should type that command. The command used in this example basically renegotiates the session (?OTR?) but if the other side switched keys to an unknown set to Alice, we end up in a new OTR session with untrusted keys. Yes this is far fetched but *very* possible with unauthenticated IRC nickname's that can be taken by different person. Previously, libotr flagged the message "I have a leak..." to be resent because of the OTR error just after. That message is then resent in the new *unauthenticated* session by libotr! This is *really* not good. As of now, irssi-otr and pidgin-otr (both using libotr) are affected by this issue. Is there any way libotr could pin the current key of the last message and when resending make sure the key are the same? Also, I'm starting to think that printing the received message on error is maybe a bad idea (or at the very least it should clearly state that this message comes from *outside* libotr). Cheers! David BTW: Huge thanks! to weinholt for that report and help. You can still use his bot "OTRResend" on freenode for testing.
signature.asc
Description: Digital signature
_______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
