[jitsi-users] OTR completely messed up in 5223 (Mario Vilas)


#1

Have you checked 'Require private messaging' ? That would probably prevent
unencrypted messages from being sent. If it doesn't do that, maybe an
option can be added to fail sending messages when OTR doesn't work.

- Sandeeo

···

That's the second OTR bug that was reported to this list, at least since I
joined. In both cases the problem happened only on very specific platforms,
maybe that's why they're hard to fix.

In any case, the default behavior on errors for OTR in Jitsi is to send the
message anyways but in plaintext. Even if the bugs can't be fixed, **this
should never happen**, a message should never be sent in the clear under
any circumstances!

There's also the possibility that the bugs could be triggered remotely in a
man in the middle scenario. I don't think it's likely, but nevertheless,
this should be taken seriously IMHO.

On Fri, May 16, 2014 at 9:09 AM, <singub+all@gmail.com> wrote:

> Thats bad, so i am not the only one which loses OTR out of nothing.
>
> Currently i have Jitsi 5216 but i saw the drop of OTR first on 15.04.14.
> If Jitsi drops OTR with "the message was for an other connection" there
is
> no way to reinstall OTR to the channel, all further messages are send in
> plain text. All actions like reset OTR, force encryption, relogin,
restart
> jitsi will fail.
> The secure chat menu lists more devices than what should be connected by
> my friend.
> Sadly on the other end the OTR icon does not change to the "unencrypted"
> view.
>
> Regards,
> Carsten
>
>
> On Mon, May 12, 2014 at 6:46 PM, Dominik George <nik@naturalnet.de> > wrote:
>
>> Hi,
>>
>> in recent nightly builds, OTR has stopped working for me. Jitsi behaves
as
>> though both me and my contact were using several isntances and very old
>> Jitsi
>> versions ;). It somehow looks like a regression, but I have no idea
where
>> it
>> could possibly have been introduced?
>>
>> What I experience ist that, after OTR got enabled automatically for a
>> conversation, a few messages come through, then Jitsi says that it
>> received a
>> message destined for another conenction and that was thus unreadable.
>>
>> Only thing is, there is defenitely no other resource conencted on either
>> end?
>>
>> Any hints?
>>
>> Cheers,
>> Nik
>> _______________________________________________


#2

Have you checked 'Require private messaging' ? That would probably
prevent unencrypted messages from being sent. If it doesn't do that, maybe
an option can be added to fail sending messages when OTR doesn't work.

- Sandeeo

If that Option is checked even the renegotiation is blocked, as these
messages are necessarily send as plaintext.

···

On Sat, May 17, 2014 at 2:27 AM, Sandeep <sandy.8925@gmail.com> wrote:

Have you checked 'Require private messaging' ? That would probably
prevent unencrypted messages from being sent. If it doesn't do that, maybe
an option can be added to fail sending messages when OTR doesn't work.

- Sandeeo

That's the second OTR bug that was reported to this list, at least since I
joined. In both cases the problem happened only on very specific
platforms,
maybe that's why they're hard to fix.

In any case, the default behavior on errors for OTR in Jitsi is to send
the
message anyways but in plaintext. Even if the bugs can't be fixed, **this
should never happen**, a message should never be sent in the clear under
any circumstances!

There's also the possibility that the bugs could be triggered remotely in
a
man in the middle scenario. I don't think it's likely, but nevertheless,
this should be taken seriously IMHO.

On Fri, May 16, 2014 at 9:09 AM, <singub+all@gmail.com> wrote:

> Thats bad, so i am not the only one which loses OTR out of nothing.
>
> Currently i have Jitsi 5216 but i saw the drop of OTR first on 15.04.14.
> If Jitsi drops OTR with "the message was for an other connection" there
is
> no way to reinstall OTR to the channel, all further messages are send in
> plain text. All actions like reset OTR, force encryption, relogin,
restart
> jitsi will fail.
> The secure chat menu lists more devices than what should be connected by
> my friend.
> Sadly on the other end the OTR icon does not change to the "unencrypted"
> view.
>
> Regards,
> Carsten
>
>
> On Mon, May 12, 2014 at 6:46 PM, Dominik George <nik@naturalnet.de> >> wrote:
>
>> Hi,
>>
>> in recent nightly builds, OTR has stopped working for me. Jitsi
behaves as
>> though both me and my contact were using several isntances and very old
>> Jitsi
>> versions ;). It somehow looks like a regression, but I have no idea
where
>> it
>> could possibly have been introduced?
>>
>> What I experience ist that, after OTR got enabled automatically for a
>> conversation, a few messages come through, then Jitsi says that it
>> received a
>> message destined for another conenction and that was thus unreadable.
>>
>> Only thing is, there is defenitely no other resource conencted on
either
>> end?
>>
>> Any hints?
>>
>> Cheers,
>> Nik
>> _______________________________________________

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

Hi,

···

Am Freitag, 16. Mai 2014, 17:27:19 schrieb Sandeep:

Have you checked 'Require private messaging' ? That would probably prevent
unencrypted messages from being sent. If it doesn't do that, maybe an
option can be added to fail sending messages when OTR doesn't work.

no, because I do not want that, and is not even related to the problem - there
are no unencrypted messages, the issue is that messages are encrypted with
something else than the session OTR key - not unencrypted :)!

-nik


#4

I mentioned the unencrypted message issue because there was another thread
about it, I thought it was related.

···

On Sat, May 17, 2014 at 12:56 PM, Dominik George <nik@naturalnet.de> wrote:

Hi,

Am Freitag, 16. Mai 2014, 17:27:19 schrieb Sandeep:
> Have you checked 'Require private messaging' ? That would probably
prevent
> unencrypted messages from being sent. If it doesn't do that, maybe an
> option can be added to fail sending messages when OTR doesn't work.

no, because I do not want that, and is not even related to the problem -
there
are no unencrypted messages, the issue is that messages are encrypted with
something else than the session OTR key - not unencrypted :)!

-nik
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”