[liberationtech] Using Gajim Instead of Pidgin for More Secure OTR Chat

Jacob Appelbaum jacob at appelbaum.net
Wed Feb 20 23:20:48 PST 2013 

Micah Lee:
> I just wrote a blog post that people here might find interesting about
> using Gajim, a chat client written in python, and Gajim's OTR plugin, a
> purely python implementation of the OTR standard, instead of Pidgin and
> libotr.
> 
> https://micahflee.com/2013/02/using-gajim-instead-of-pidgin-for-more-secure-otr-chat/
> 
> Also, I wrote a script called pidgin2gajim that takes the OTR keys from
> Pidgin and reformats them to work in Gajim, so you can keep your old
> Pidgin key.
> 
> https://github.com/micahflee/pidgin2gajim

A few people, myself included, had an audit (drinking) game with gajim a
while back - they were quite responsive. There were a number of rather
insecure design issues that I would strongly caution rechecking - one of
them was that the Python OTR module was not included in the default
Gajim release. If I remember correctly, one had to download it and
install it from within a plugin wizard of sorts over http:

  https://trac.gajim.org/ticket/7024

I think they fixed that by adding HTTPS - in python - which well, hrm.
Looks like a fun thing to follow up on, eh?

I think their HTTPS code is here:

  http://hg.gajim.org/gajim/file/47df356614cc/src/common/check_X509.py

They wrote some DH code here:

  http://hg.gajim.org/gajim/file/47df356614cc/src/common/dh.py

Other bugs for OTR are interesting to read:

  https://trac.gajim.org/ticket/7025
  https://trac.gajim.org/ticket/7030

Here are a few other bugs I reported including remote code execution issues:


https://trac.gajim.org/query?status=assigned&status=closed&status=needinfo&status=new&status=reopened&reporter=ioerror&order=priority

A friend's bug reports:


https://trac.gajim.org/query?status=assigned&status=closed&status=needinfo&status=new&status=reopened&reporter=buymebeer&order=priority

A few days ago, I also managed to remotely crash a friend using the most
recent Gajim in an OTR session. His Gajim client sent me this in response:

<message to="me" type="chat" id="30" from="myfriend/Gajim">
<body>18:37:16 (E) gajim.c.ged Error while running an even handler:
<bound method OtrPlugin.handle_incoming_msg o
f <gotr.otrmodule.OtrPlugin object at 0x1845750>>Traceback
(most recent call last):  File "/usr/share/gajim/src/common/ged.py",
line 91, in raise_event    if handler(
*args, **kwargs):  File
"/home/user/.local/share/gajim/plugins/gotr/otrmodule.py", line 521, in
handle_incoming_msg    appdata={'session':event.session})  File
"/home/user/.lo
cal/share/gajim/plugins/gotr/potr/context.py", line 219, in
receiveMessage    plaintext, tlvs =
self.crypto.handleDataMessage(message)  File
"/home/user/.local/share/gajim/plugins/gotr/potr/crypt.py", line 195, in
handleDataMessage    tlvs = proto.TLV.parse(tlvData)  File
"/home/user/.local/share/gajim/plugins/gotr/potr/proto.py", line 318, in
parse    return [tlvClasses[typ].parsePayload(data[:length])] \KeyError:
0 </body><thread>xxxx</thread><nos:x value="enabled"
xmlns:nos="google:nosave"/><arc:record otr="true"
xmlns:arc="http://jabber.org/protocol/archive"/></message>

I didn't report it and I'm not sure if my friend did either. I'd guess not.

I think this was the message that I sent to my friend that caused the
above stack trace to be sent over jabber to me:
<message to='myfriend' from='me'
type='chat'><body>?OTR:AAIDAAAAAAUAAAACAAAAwKAOQK5DZercq54LCaVQaSzz23rYwDrTXyUMaaSjUUXo435D8p4kg9e8WJ/o
XxRgXt7DzFqRhckMSchtiKn3Z18crsO+KVwmlmDBzAk4mW0PL3SSbEeVCnNuixySOXbBWtohxqxwc/3yBsm2ki0Sac8fvdJfw3f5UdYBCJezM4gVEfe2UEyDyenT3TMT5TOpAtu7TVh6IgKjy0hvYsTpYKbhD6t/IojJKu55eK20QZN
qRYoYV+c5SS17mVWy8OvBWgAAAAAAAAAHAAABALaP77xkbaBybuXXtaoMU2mA0m3LIgHAKLhI8/bPtsyv+CUlnZZoqoLdlp67icTFvzUeUU3jFW/RSAa63d5mnzvb21zmhydE2i/U3hvwCyP6OHthfV8/PkBP/uq8bWfHEqJ/8yyWRM
VS/1L7uauQdDBXuORV0iYQnRBxkwVmIV5KfqKlUR0KEYza3urw5wdsOqOSIU0W9fa5ksZBDyuZxvG6d9NSJa7FRnN7aqpAzxDWGfWTg5FLSCQFMd22BxXOsS4UalkYQVxAmfLAYpv8Nw0Dw4PZfLDObpvXBx89g9nuenOAZWGtCsm24
u6xFNIHQGdxYSd93zhZV1kU7gsdcK051Lgx2h1EYbEHP2hKZxGk4AEwlgAAAAA=.</body><nos:x
xmlns:nos='google:nosave' value='enabled'/><arc:record
xmlns:arc='http://jabber.org/protocol/archive' otr='require'/></message>

Anyway, Gajim isn't free of issues and the OTR plugin is written in
Python. That may be good news but I admit, I haven't seen if there are
any test vectors that compare all of the functionality. At one point the
potr library author had considered unit testing their inputs/outputs
against the expected libotr inputs/outputs. I'm not sure if that happened.

They are at least Tor (support) friendly which is nice of them:

  https://trac.gajim.org/ticket/7026

All the best,
Jake

More information about the liberationtech mailing list