[liberationtech] Current state of Pidgin OTR vs Jitsi OTR

[Adam Back]

Your main claim is now refuted by the web page you quote (I presume it as
updated since you reaad it).

"Update: After talking to some people it appears that libotr isn’t as
bug-ridden as the other libraries that Pidgin depends on, libpurple and
libxml2. I’m still glad there’s a native python implementation of OTR
though."

The remaining claimed problems are then pidgin itself having bugs, nothing
on OTR.  So if you want to argue for an interpreted language chat client, go
for it.

Note in general people should be somewhat wary of "new" programs that handle
their security sensitive data or keys (whichever language they are written
in), particularly if the implementors are new and unknown with no reputation
in the OSS arena.  (I have no idea of the status of that for gajim nor
pidgin, but as a principle.) Backdoors can be plausibly hidden in any
language.  Same goes for vetting "contributions" and checking signatures and
checksums on source servers.  You've got to expect NSA and probably other
countries equivalent spy agencies will be trying to backdoor as much as they
can, including by contributing to open source projects, hacking source
repositories etc.

Adam

On Mon, Jul 01, 2013 at 10:33:51AM +0200, Nikola Kotur wrote:
>On Sun, 30 Jun 2013 02:25:54 -0500
>Anthony Papillion <anthony at cajuntechie.org> wrote:
>
>> what exactly is the problem with Pidgin OTR
>
>This page summarizes what might be wrong with Pidgin and OTR:
>
>https://micahflee.com/2013/02/using-gajim-instead-of-pidgin-for-more-secure-otr-chat/
>
>In short: Pidgin uses libotr, which is riddled with bugs, and *might*
>have vulnerabilities that can be used to render your privacy useless.
>And the only thing worst than no privacy is illusion of privacy.


>--
>Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech