SSL security concern

David Woolley forums at david-woolley.me.uk
Tue Oct 15 02:50:19 EDT 2013


On 14/10/13 22:39, Ethan Blanton wrote:

> Oh, OTR.  This is a problem for the OTR plugin.  We started

I'm afraid I failed to spot that this was on OTR one, rather than a 
corporate lock down one.  (They often have rather conflicting aims.**)
>
>      * Secure all communications, untrusted local storage
>      * Secure all communications, trusted local storage

I'm afraid you will need better descriptions.  My first thought was that 
the average user wouldn't make the connection between trusted local 
storage and logs.  On further thought, if you don't actually trust local 
storage, you can't trust the certificates, or the program code.

>
> My pushback on this is that the complexity of implementation is pretty
> high, and I don't really think the benefit is that large.  I wouldn't
> implement it, but if somebody handed it to me and it was good, I would
> probably take it.

Of course, being open source, the OP can always fork their own version 
of the code, remembering to change the branding and the embedded support 
address.

** E.g. corporate IT departments usually want to ensure that 
conversations are logged but in a way that doesn't allow the employee to 
manipulate them.



More information about the Support mailing list