[liberationtech] Question about otr.js

Nadim Kobeissi nadim at nadim.cc
Thu Jun 6 17:00:07 PDT 2013 

Speaking as the lead developer for Cryptocat:
OTR.js actually has had some vetting. We're keeping it experimental simply due to the experimental nature of web cryptography as a whole. It's a handy library that has had a lot of consideration put into it, but it really depends on your use case and threat model. If you want to use it to keep conversations private in moderate situations, go ahead. If you want to use it to keep conversations private against an authoritarian regime/sprawling surveillance mechanism, think twice. Overall I find it really hard to tell whether it's safe enough without knowing your threat model. For example, if your threat model includes a likelihood of someone backdooring your hardware, pretty much nothing can help you.

If you're considering building your own app and using OTR.js as a library, I beseech you to be careful regarding code delivery mechanisms and XSS considerations. Specifically, please use signed browser plugins as a code delivery mechanism and make sure the rest of your app, including outside of OTR.js, is audited against XSS, code injection, and so on. Those kind of threats tend to be far more common than library bugs.

NK


On 2013-06-06, at 7:49 PM, Steve Weis <steveweis at gmail.com> wrote:

> The status is:
> "[otr.js] hasn't been properly vetted by security researchers. Do not use in life and death situations!"
> https://github.com/arlolra/otr#warning
> 
> On Thu, Jun 6, 2013 at 3:14 PM, Anthony Papillion <anthony at cajuntechie.org> wrote:
> > I'm thinking about working on a web app that would use otr.js to
> > enable OTR chat via the way (probably similar to Cryptocat).  Does
> > anyone know what the security status of otr.js is? Has it been vetted?
> > If not, what is the recommended (vetted) Javascript way of doing OTR?
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

More information about the liberationtech mailing list