(1) Correct. The OTR plugin does not ask for a passphrase or anything on startup, so anyone who has your .purple folder can impersonate you. Then again, if you have password-saving enabled, then the .purple folder also contains the passwords for your IM account unencrypted. If you are worried about someone else accessing that information, you should encrypt your home directory (Ubuntu offers to do so on install, you can probably look up how to do so later).
(2) OTR guarantees "perfect forward secrecy" so having your secret keys does not allow an attacker to read your past conversations; it only allows them to impersonate you in the future and therefore theoretically intercept future conversations (actually intercepting IMs would require a powerful attacker, especially given that XMPP and AIM usually go over SSL). Naturally, if you discover that someone has managed to access your .purple folder, you should change all of your IM passwords and OTR private keys and notify anyone you use OTR with to invalidate your old keys and verify your new ones. (3) I am not an OTR dev, but I believe the issues you discuss are outside of the scope of the OTR software. - Daniel On Wed, Nov 9, 2011 at 07:47, Greg Reagle <rea...@cepr.net> wrote: > Greetings and salutations. > > I have already searched http://www.cypherpunks.ca/otr/otr-codecon.pdf and > http://www.cypherpunks.ca/otr/index.php#faqs for the answer to my questions. > If they are answered in some other document, please point me to it, and > excuse me. > > I am using: > $ COLUMNS=100 dpkg -l "*pidgin*" "*purple*" > ||/ Name Version > +++-===================-===================- > ii libpurple-bin 1:2.6.6-1ubuntu4.3 > ii libpurple0 1:2.6.6-1ubuntu4.3 > ii pidgin 1:2.6.6-1ubuntu4.3 > ii pidgin-data 1:2.6.6-1ubuntu4.3 > ii pidgin-libnotify 0.14-1ubuntu14 > ii pidgin-otr 3.2.0-5 > > My private key appears to be stored on my filesystem > in~/.purple/otr.private_key, unencrypted. > > (1) Is my private key, in fact, stored unencrypted? > (2) If yes, I suppose this is a major security weakness. What are the > security ramifications of this? > (3) Are there any plans to remedy? > > Thanks! > > -- > Greg Reagle > System Administrator > Center for Economic and Policy Research > rea...@cepr.net > http://www.cepr.net/ > _______________________________________________ > OTR-users mailing list > OTR-users@lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > _______________________________________________ OTR-users mailing list OTR-users@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-users
