[jitsi-users] OTR feedback and jitsi 2.2.4603.9615


#1

I'm using Jitsi 2.2.4603.9615 with some users. One usability point that
pops up is the current lack of ability to copy and paste your OTR
fingerprint from the "Security -> Chat" tab. It's tough to share your
OTR fingerprint out of band if you have to type in the entire thing
manually.

I'd like the ability to copy and paste OTR fingerprints. Feel free to
point me docs if I'm doing this incorrectly.

Thanks.

···

--
Andrew


#2

Hey there,

I'm using Jitsi 2.2.4603.9615 with some users. One usability point that
pops up is the current lack of ability to copy and paste your OTR
fingerprint from the "Security -> Chat" tab. It's tough to share your
OTR fingerprint out of band if you have to type in the entire thing
manually.

I'd like the ability to copy and paste OTR fingerprints. Feel free to
point me docs if I'm doing this incorrectly.

Double-click on the fingerprint selects it. Ctrl+C (or Cmd+C depending on the OS) puts it on the clipboard.

Note however that you have to be extremely careful as to where you paste this. Sending the fingerprint over the same channel (or on a different unencrypted channel) could represent a significant risk of compromising your connection.

Emil

···

On 05.07.13, 21:13, jitsi@lewman.us wrote:

--
https://jitsi.org


#3

I'm using Jitsi 2.2.4603.9615 with some users. One usability point that
pops up is the current lack of ability to copy and paste your OTR
fingerprint from the "Security -> Chat" tab. It's tough to share your
OTR fingerprint out of band if you have to type in the entire thing
manually.

I'd like the ability to copy and paste OTR fingerprints. Feel free to
point me docs if I'm doing this incorrectly.

I just committed a fix for this. It should be available in the next nightly
build (id 4711).

Thanks.

Ingo


#4

On Sat, Jul 06, 2013 at 12:45:17AM +0200, emcho@jitsi.org wrote 0.8K bytes in 0 lines about:
: Double-click on the fingerprint selects it. Ctrl+C (or Cmd+C
: depending on the OS) puts it on the clipboard.

Double-click does nothing for me.

···

--
Andrew
pgp 0x6B4D6475


#5

I do not think that leaking the fingerprint would lead to big
problems, but you might loose your deniability. i do not think that it
leads to any problems with the actual encryption.

- --
Yannik V�lker

···

Am 06.07.2013 00:45, schrieb Emil Ivov:

Note however that you have to be extremely careful as to where you
paste this. Sending the fingerprint over the same channel (or on a
different unencrypted channel) could represent a significant risk
of compromising your connection.


#6

On Sat, Jul 06, 2013 at 11:19:53AM +0200, ingo@jitsi.org wrote 0.7K bytes in 0 lines about:
: I just committed a fix for this. It should be available in the next nightly
: build (id 4711).

Thanks! I'll test it out at next apt-get pull

···

--
Andrew
pgp 0x6B4D6475


#7

One of the main reasons for comparing OTR fingerprints is to avoid Man
In The Middle Attacks. Doing so by chat makes it painfully easy for
the potential Man In The Middle to simply replace the fingerprint you

Emil

···

On Sat, Jul 6, 2013 at 4:55 AM, Yannik Völker <yannikv@yahoo.de> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 06.07.2013 00:45, schrieb Emil Ivov:

Note however that you have to be extremely careful as to where you
paste this. Sending the fingerprint over the same channel (or on a
different unencrypted channel) could represent a significant risk
of compromising your connection.

I do not think that leaking the fingerprint would lead to big
problems, but you might loose your deniability. i do not think that it
leads to any problems with the actual encryption.

sent with their own.


#8

Emil,

Could you please explain why is comparing fingerprints even present? I
always thought that OTR used socialist millionaire protocol that makes
exactly this unnecessary.

From wikipedia: https://en.wikipedia.org/wiki/Socialist_millionaire

It is often used as a cryptographic protocol that allows two parties
to verify the identity of the remote party through the use of a shared
secret, avoiding a man-in-the-middle attack without the inconvenience
of manually comparing public key fingerprints through an outside
channel.

Regards!

···

On 7/7/13, Emil Ivov <emcho@jitsi.org> wrote:

On Sat, Jul 6, 2013 at 4:55 AM, Yannik Völker <yannikv@yahoo.de> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 06.07.2013 00:45, schrieb Emil Ivov:

Note however that you have to be extremely careful as to where you
paste this. Sending the fingerprint over the same channel (or on a
different unencrypted channel) could represent a significant risk
of compromising your connection.

I do not think that leaking the fingerprint would lead to big
problems, but you might loose your deniability. i do not think that it
leads to any problems with the actual encryption.

One of the main reasons for comparing OTR fingerprints is to avoid Man
In The Middle Attacks. Doing so by chat makes it painfully easy for
the potential Man In The Middle to simply replace the fingerprint you
sent with their own.

Emil

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#9

Could you please explain why is comparing fingerprints even present? I
always thought that OTR used socialist millionaire protocol that makes
exactly this unnecessary.

Because our OTR implementation predates the specification of the SMP in OTR
and we haven't had the time to keep up with the development. Contributions
would be most welcome.

From wikipedia: https://en.wikipedia.org/wiki/Socialist_millionaire It
is often used as a cryptographic protocol that allows two parties to
verify the identity of the remote party through the use of a shared
secret, avoiding a man-in-the-middle attack without the inconvenience of
manually comparing public key fingerprints through an outside channel.

Regards!

Ingo


#10

Does this also mean that Jitsi is incompatible with other programs
that use newer implementation/version of OTR?

Regards!

···

On 7/8/13, Ingo Bauersachs <ingo@jitsi.org> wrote:

Could you please explain why is comparing fingerprints even present? I
always thought that OTR used socialist millionaire protocol that makes
exactly this unnecessary.

Because our OTR implementation predates the specification of the SMP in OTR
and we haven't had the time to keep up with the development. Contributions
would be most welcome.

From wikipedia: https://en.wikipedia.org/wiki/Socialist_millionaire It
is often used as a cryptographic protocol that allows two parties to
verify the identity of the remote party through the use of a shared
secret, avoiding a man-in-the-middle attack without the inconvenience of
manually comparing public key fingerprints through an outside channel.

Regards!

Ingo

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#11

Could you please explain why is comparing fingerprints even present? I
always thought that OTR used socialist millionaire protocol that makes
exactly this unnecessary.

Because our OTR implementation predates the specification of the SMP in

OTR

and we haven't had the time to keep up with the development.

Contributions

would be most welcome.

Does this also mean that Jitsi is incompatible with other programs
that use newer implementation/version of OTR?

OTR negotiates the supported protocol version, so in general no, but if the
other client doesn't support comparing fingerprints...

Regards!

Ingo