[Bug 16891] Telepathy should support OTR encryption

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri May 9 11:26:40 PDT 2014


https://bugs.freedesktop.org/show_bug.cgi?id=16891

--- Comment #62 from Simon McVittie <simon.mcvittie at collabora.co.uk> ---
Corner cases:

What happens when we try to send a message and the channel is already
TRUST_FINISHED? I think we should refuse, for the rest of the lifetime of that
channel (until Close()), to avoid the security flaw where we send messages to a
channel that just closed.

What happens when we close a channel locally? I think the answer should be "we
terminate the OTR session, and start from an unsecured state next time" - even
if the channel is in fact going to respawn due to unacknowledged messages. This
means the channel needs to reset its Encrypted flag, Verified flag and all OTR
state when it respawns. We will still be able to tell the rescued messages were
encrypted/verified because the header that I suggested adding will say so.

What happens if I'm talking to bob at example.com/Laptop using OTR, and I receive
a message from bob at example.com/Phone without OTR? I hope the answer is "libotr
deals with it and reports OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED". Is it safe (as
in, not a security vulnerability) to rely on that?

What happens when we receive a message and the channel is already
TRUST_FINISHED? I hope the answer is "libotr deals with it and reports
OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED". Is it safe (as in, not a security
vulnerability) to rely on that?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.


More information about the telepathy-bugs mailing list