OTR and general security stuff

Jacob Appelbaum jacob at appelbaum.net
Tue Feb 12 16:32:05 EST 2013


I'm writing to this list as datallah suggested that I write to this
address. I hope it is useful/welcome.

I've been a Pidgin/libpurple user for a long time. Lately, I've been
working with datallah to find security related issues. A few of the
issues I've worked or reported are here:


I've also recently reported another remotely exploitable issue privately
to datallah. He is fun to work with and I look forward to working with
him more to audit.

I'm part of the OTR development team and I really want to help make OTR
easier to use. I've worked on a few improvements to various IM clients
(such xmpp-client, the golang xmpp/OTR client, Gajim, Adium, etc)
regarding security and OTR. I've recently opened a bug where I'd like to
discuss the idea of shipping our pidgin-otr module in the Windows
release of Pidgin proper:


I understand that this could be potentially contentious and I even
understand some of the reasons. As a result, I wanted to open a
discussion where we discuss the issues involved and hopefully move
towards a more secure IM transport option that works across around a
dozen IM clients.

I'd like to offer my support generally. We already offer a lot of
support to all Pidgin users by including OTR in the Windows releases. I
think it will greatly improve the security of messaging for all Pidgin
users if it were a single install...

All the best,

More information about the Devel mailing list