On 2013-06-07, at 1:09 PM, Anthony Papillion anth...@cajuntechie.org wrote:
On 06/06/2013 07:00 PM, Nadim Kobeissi wrote:
Speaking as the lead developer for Cryptocat:
OTR.js actually has had some vetting. We're keeping it experimental simply
due to the experimental nature of web
Pidgin is a terrible client. It has quite a bit of issues. Their SSL
handling is terrible and possible to mitm, I audited the Windows build last
August and found known vulnerabilities since 2006 in 2012.. only recently
in february that the Pidgin team released a security update..
Avoid using
On 06/07/2013 12:18 PM, Nadim Kobeissi wrote:
I would never suggest Pidgin — Pidgin has never received an audit and is full
of vulnerabilities that the development team is reluctant to fix. Cryptocat
has actually received far more audits than Pidgin, although I'm not sure how
to compare
Nadim's reply is much better just linking to the otr.js author's own warning.
I'd like to reiterate the importance of code delivery. I've seen a
couple dozen of attempts to do crypto via server-hosted Javascript.
All of these reduced to trusting whomever is serving the code. This
issues have been
On Fri, Jun 7, 2013 at 7:59 PM, Steve Weis stevew...@gmail.com wrote:
I'd like to reiterate the importance of code delivery. I've seen a
couple dozen of attempts to do crypto via server-hosted Javascript.
All of these reduced to trusting whomever is serving the code. This
issues have been
On Fri, Jun 07, 2013 at 07:44:35PM +0200, Jurre andmore wrote:
Pidgin is a terrible client. It has quite a bit of issues. Their SSL
handling is terrible and possible to mitm, I audited the Windows build
last August and found known vulnerabilities since 2006 in 2012.. only
recently
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I'm thinking about working on a web app that would use otr.js to
enable OTR chat via the way (probably similar to Cryptocat). Does
anyone know what the security status of otr.js is? Has it been vetted?
If not, what is the recommended (vetted)
The status is:
[otr.js] hasn't been properly vetted by security researchers. Do not use
in life and death situations!
https://github.com/arlolra/otr#warning
On Thu, Jun 6, 2013 at 3:14 PM, Anthony Papillion anth...@cajuntechie.org
wrote:
I'm thinking about working on a web app that would use
Speaking as the lead developer for Cryptocat:
OTR.js actually has had some vetting. We're keeping it experimental simply due
to the experimental nature of web cryptography as a whole. It's a handy library
that has had a lot of consideration put into it, but it really depends on your
use case
