[liberationtech] OTRon: Chrome extension for end-to-end FB chat encryption
Jens Christian Hillerup
jens at hillerup.net
Wed Jan 29 01:26:31 PST 2014
On Tue, Jan 28, 2014 at 10:43 PM, Omar Rizwan <omar.rizwan at gmail.com> wrote:
> Haven't spread it widely yet or made it easy to install, I'm looking
> for feedback both on how well it works (it needs some more testing and
> does have some functionality bugs -- you may be blocked from FB chat
> for a few minutes if it goes wrong!), how easy it is to use, and on
> the general approach.
Disclaimer: I haven't read the source, tried the extension or otherwise
gotten to know about this tool other than reading OP.
The reason I'm writing anyway is that this is important to know generally.
Facebook records the text in text fields even before they're submitted [1].
Therefore, if this tool relies on Facebook's own text fields (or anything
within the DOM, really), they can completely circumvent this OTR
implementation. The right way to do this would be to spawn something out of
the reach of Facebook JS. That means, spawning a separate chat window in
the context of the extension, or use window.prompt in either context (the
contents of a window.prompt cannot be read before the OK button is pressed).
JC
[1]
http://www.slate.com/articles/technology/future_tense/2013/12/facebook_self_censorship_what_happens_to_the_posts_you_don_t_publish.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140129/4b2681a2/attachment.html>
More information about the liberationtech
mailing list