[liberationtech] Question about otr.js

Nadim Kobeissi nadim at nadim.cc
Fri Jun 7 10:18:49 PDT 2013 

On 2013-06-07, at 1:09 PM, Anthony Papillion <anthony at cajuntechie.org> wrote:

> On 06/06/2013 07:00 PM, Nadim Kobeissi wrote:
>> Speaking as the lead developer for Cryptocat:
>> OTR.js actually has had some vetting. We're keeping it experimental simply due to the experimental nature of web cryptography as a whole. It's a handy library that has had a lot of consideration put into it, but it really depends on your use case and threat model. If you want to use it to keep conversations private in moderate situations, go ahead. If you want to use it to keep conversations private against an authoritarian regime/sprawling surveillance mechanism, think twice. Overall I find it really hard to tell whether it's safe enough without knowing your threat model. For example, if your threat model includes a likelihood of someone backdooring your hardware, pretty much nothing can help you.
>> 
>> If you're considering building your own app and using OTR.js as a library, I beseech you to be careful regarding code delivery mechanisms and XSS considerations. Specifically, please use signed browser plugins as a code delivery mechanism and make sure the rest of your app, including outside of OTR.js, is audited against XSS, code injection, and so on. Those kind of threats tend to be far more common than library bugs.
>> 
>> NK
> 
> Thank you for the excellent feedback on OTR.js. It really clears some
> stuff up and makes me much more confident in the library.
> 
> I'm considering using OTR.js as a basis for an OTR plugin for
> Thunderbird chat. I suppose, in theory, people *could* decide to use it
> in life and death situations under sprawling surveillance regimes, I'd
> try to make it clear how unwise this is and provide alternatives. For
> example, I'd point them to Pidgin with its OTR instead.

I would never suggest Pidgin — Pidgin has never received an audit and is full of vulnerabilities that the development team is reluctant to fix. Cryptocat has actually received far more audits than Pidgin, although I'm not sure how to compare the two since the platforms are totally different.

NK

> 
> Thanks again!
> 
> Anthony
> 
> 
> -- 
> Anthony Papillion
> Phone:   1.918.533.9699
> SIP:     sip:cajuntechie at iptel.org
> iNum:    +883510008360912
> XMPP:    cypherpunk38 at jit.si
> 
> www.cajuntechie.org
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

More information about the liberationtech mailing list