SSL security concern
David Woolley
forums at david-woolley.me.uk
Tue Oct 15 02:50:19 EDT 2013
On 14/10/13 22:39, Ethan Blanton wrote:
> Oh, OTR. This is a problem for the OTR plugin. We started
I'm afraid I failed to spot that this was on OTR one, rather than a
corporate lock down one. (They often have rather conflicting aims.**)
>
> * Secure all communications, untrusted local storage
> * Secure all communications, trusted local storage
I'm afraid you will need better descriptions. My first thought was that
the average user wouldn't make the connection between trusted local
storage and logs. On further thought, if you don't actually trust local
storage, you can't trust the certificates, or the program code.
>
> My pushback on this is that the complexity of implementation is pretty
> high, and I don't really think the benefit is that large. I wouldn't
> implement it, but if somebody handed it to me and it was good, I would
> probably take it.
Of course, being open source, the OP can always fork their own version
of the code, remembering to change the branding and the embedded support
address.
** E.g. corporate IT departments usually want to ensure that
conversations are logged but in a way that doesn't allow the employee to
manipulate them.
More information about the Support
mailing list