[liberationtech] Current state of Pidgin OTR vs Jitsi OTR
Jacob Appelbaum
jacob at appelbaum.net
Mon Jul 1 07:03:09 PDT 2013
Nikola Kotur:
> On Sun, 30 Jun 2013 02:25:54 -0500
> Anthony Papillion <anthony at cajuntechie.org> wrote:
>
>> what exactly is the problem with Pidgin OTR
>
> This page summarizes what might be wrong with Pidgin and OTR:
>
> https://micahflee.com/2013/02/using-gajim-instead-of-pidgin-for-more-secure-otr-chat/
>
> In short: Pidgin uses libotr, which is riddled with bugs, and *might*
> have vulnerabilities that can be used to render your privacy useless.
> And the only thing worst than no privacy is illusion of privacy.
>
As one of the people currently working libotr, I'd like to as you to
reload that page and note the footnote:
"Update: After talking to some people it appears that libotr isn’t as
bug-ridden as the other libraries that Pidgin depends on, libpurple and
libxml2. I’m still glad there’s a native python implementation of OTR
though."
I've audited libotr, pidgin-otr, and I've also audited gajim - I've
found bugs in each - though nothing as serious as the bugs I've found in
gajim. It has potential to be great software and because it is written
in python, I tend to think it might be in better shape.
I agree that pidgin has issues - I've spent quite a lot of time looking
for them, finding them, and disclosing them - I'm far far from the only one:
https://developer.pidgin.im/wiki/ChangeLog
It seems to me that we should want diversity in chat clients - something
that using pidgin, jitsi, xmpp-client, adium, gajim and others will
bring us. We want the diversity not just in terms of names but also in
terms of libraries.
We also need security in the bootstrapping process - try to download
pidgin or adium over HTTPS - I guess you'll find it difficult. Jitsi on
the other hand deployed HTTPS when I suggested it it to them. I've had
piss poor luck with getting Ian to deploy HTTPS for the pidgin-otr
plugin website - much to my frustration. gajim had (or has?) the same
problem with their plugin loading over the internet code. I'm hoping to
solve this by having pidgin-otr as a shipping part of pidgin proper in
the 3.0 release. I have commit bit, I just need to sit down and add
pidgin-otr to the source tree without losing commit history between git
and hg.
We need secure defaults too - adium for example refuses to disable
logging by default, even when the user is using OTR:
https://trac.adium.im/ticket/15722
Very few of these chat clients have proper SSL/TLS support - even if
they do enable TLS by default, some of them have very very crappy
certificate verification or validation code.
So given the above - absolutely all the chat clients have different
issues of varying severity. If passive surveillance is a concern, it
seems that OTR is a key feature - if getting OTR is difficult, I think
it signals that OTR should be built into the chat program. Jitsi and
adium do this well - only Jitsi is available over HTTPS for download.
Though it is possible to use brew to install adium in what seems to be a
more secure fashion.
The wonderful folks over at RiseUp! wrote the following page long ago -
some of it is probably still reasonably correct:
https://www.riseup.net/en/chat-clients
I hope the above is useful - please do consider that libotr is not
pidgin, even if we do one day ship with pidgin releases. The rest of the
pidgin code needs a lot of love - so please consider putting in some
time to find very specific problems, so we might improve things.
All the best,
Jacob
More information about the liberationtech
mailing list