Hi Thibault, [email protected] wrote (08 Oct 2013 09:27:56 GMT) : > as you are surely aware of, it's been known [1] since 2006 that > clients supporting both OTRv1 and v2 (such as libotr 3.x) are subject > to protocol downgrade attacks clients. It's also been known for > a while that OTRv1 has serious security issues (that were the main > reason for a v2, actually). In short, support v2 only is the only safe > way to go these days.
> [1] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.7945 > It took a while to obsolete older v1-only software, and another while > to complete the libotr 4.x transition and get to a sane state in > Debian testing. Now, I think the time has come when we can reasonably > expect v2-only to work for everyone. > I think that the only reasonable course of action from now on is to > patch libotr in stable and oldstable to only support OTR v1. (s/v1/v2/ in the last sentence, obviously.) Ping? If you have no time to take care of that, fair enough, but then I would really appreciate to read your general opinion on the matter, even if it's a simple "please go ahead and NMU". Thanks in advance! Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
