OTR and general security stuff

Ethan Blanton elb at pidgin.im
Tue Feb 12 18:05:51 EST 2013 

Jacob Appelbaum spake unto us the following wisdom:
> I'm writing to this list as datallah suggested that I write to this
> address. I hope it is useful/welcome.
> 
> I've been a Pidgin/libpurple user for a long time. Lately, I've been
> working with datallah to find security related issues. A few of the
> issues I've worked or reported are here:
> 
>   https://developer.pidgin.im/search?q=ioerror
>   http://hg.pidgin.im/pidgin/main/rev/66dc0da8257b
> 
> I've also recently reported another remotely exploitable issue privately
> to datallah. He is fun to work with and I look forward to working with
> him more to audit.

And we look forward to more reports!  We've been receiving a
gratifying amount of external assistance with correctness and security
auditing lately.  Thanks for your help on that front.

> I'm part of the OTR development team and I really want to help make OTR
> easier to use. I've worked on a few improvements to various IM clients
> (such xmpp-client, the golang xmpp/OTR client, Gajim, Adium, etc)
> regarding security and OTR. I've recently opened a bug where I'd like to
> discuss the idea of shipping our pidgin-otr module in the Windows
> release of Pidgin proper:
> 
>   https://developer.pidgin.im/ticket/15513
> 
> I understand that this could be potentially contentious and I even
> understand some of the reasons. As a result, I wanted to open a
> discussion where we discuss the issues involved and hopefully move
> towards a more secure IM transport option that works across around a
> dozen IM clients.

So, here's a few hits on how I feel about it, as a Pidgin developer:

 * I get the sense that a sizeable minority of our users use OTR.
   Most, but not all, of them seem to be power users (as expected),
   and we don't hear much from them.

 * While I don't use it personally (I simply use email, rather than
   IM, for sensitive information), I like the *idea* of plugins like
   OTR.

 * We've had very little contact from anyone involved with OTR.  In
   fact, this may be the first I've heard of (certainly we've heard
   from you before, Jacob, but I don't think I knew you were an OTR
   developer).  This makes me somewhat nervous about "blessing" the
   OTR plugin; in particular, there have been a few long-standing and
   unaddressed bugs (not that I can think of what they are at the
   moment, but I'm sure someone can) that have plagued Pidgin users
   for years, and we've had no avenue of contact and seen no support
   on that front.

 * The above notwithstanding, OTR is a reasonably solid plugin.

 * We don't take plugins unless we believe they are going to be
   maintained, and their maintainer is going to work with us in a
   positive fashion, because we've been burned by drive-by plugins
   before.

 * You are not an unknown quantity to us, and if you're willing to
   *commit to supporting this plugin going forward*, we can probably
   arrive at an acceptable solution to the previous three points.

 * I am not interested in including a third-party binary plugin in our
   Windows build only; I would be more inclined to bring the Pidgin
   OTR plugin (or a version thereof) into the Pidgin sources, and
   release it on all platforms where the dependencies are met.  (I see
   that you propose this on your bug.)

So ... the net wrapup of all of that is that I'm left feeling a little
bit nervous about how smoothly this will go for Pidgin in the long
run, but I think it's a positive general step if you are willing to
step up for long-term maintenance, and I support it.

This also leaves a possible discussion for integrating OTR as a
non-plugin Pidgin feature, as well as OTR for finch.  :-)

Ethan

More information about the Devel mailing list