[liberationtech] Question about otr.js

Steve Weis steveweis at gmail.com
Fri Jun 7 10:59:07 PDT 2013 

Nadim's reply is much better just linking to the otr.js author's own warning.

I'd like to reiterate the importance of code delivery. I've seen a
couple dozen of attempts to do crypto via server-hosted Javascript.
All of these reduced to trusting whomever is serving the code. This
issues have been covered many times, most prominently by Matasano
Security: http://www.matasano.com/articles/javascript-cryptography/

Anthony, it sounds like you're aware of the issues and planning to
develop code that will be installed and executed on the client, i.e. a
plugin for Thunderbird chat.

On Thu, Jun 6, 2013 at 5:00 PM, Nadim Kobeissi <nadim at nadim.cc> wrote:
> Speaking as the lead developer for Cryptocat:
> OTR.js actually has had some vetting. We're keeping it experimental simply due to the experimental nature of web cryptography as a whole. It's a handy library that has had a lot of consideration put into it, but it really depends on your use case and threat model. If you want to use it to keep conversations private in moderate situations, go ahead. If you want to use it to keep conversations private against an authoritarian regime/sprawling surveillance mechanism, think twice. Overall I find it really hard to tell whether it's safe enough without knowing your threat model. For example, if your threat model includes a likelihood of someone backdooring your hardware, pretty much nothing can help you.
>
> If you're considering building your own app and using OTR.js as a library, I beseech you to be careful regarding code delivery mechanisms and XSS considerations. Specifically, please use signed browser plugins as a code delivery mechanism and make sure the rest of your app, including outside of OTR.js, is audited against XSS, code injection, and so on. Those kind of threats tend to be far more common than library bugs.
>
> NK
>
>
> On 2013-06-06, at 7:49 PM, Steve Weis <steveweis at gmail.com> wrote:
>
>> The status is:
>> "[otr.js] hasn't been properly vetted by security researchers. Do not use in life and death situations!"
>> https://github.com/arlolra/otr#warning
>>
>> On Thu, Jun 6, 2013 at 3:14 PM, Anthony Papillion <anthony at cajuntechie.org> wrote:
>> > I'm thinking about working on a web app that would use otr.js to
>> > enable OTR chat via the way (probably similar to Cryptocat).  Does
>> > anyone know what the security status of otr.js is? Has it been vetted?
>> > If not, what is the recommended (vetted) Javascript way of doing OTR?
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

More information about the liberationtech mailing list