OTR in Pidgin?

ChO₂ chemistrydioxide at quantentunnel.de
Thu Jan 15 15:25:25 EST 2009


Although IM e2e encryption isn't widespread, there are many different
encryption protocols in use, just as there are many IM protocols. While
one user might use XMPP-PGP, another might be using OTR. I am using
pidgin-encryption. Implementing only OTR and XMPP-PGP would be useless
for those who use something else, e.g. pidgin-encryption or <insert your
favorite encryption protocol here>. 
Therefore, I think that Pidgin should either support several encryption
protocols (just as Pidgin has support for several IM protocols) or leave
it up to the users to install the encryption plugins that they need (as
it is now). I'm rather in favor of the former.




There are some aspects of some encryption protocols that I'd like to
mention here as well:

    OTR and pidgin-encryption:
Right now, installing both of these plugins at a time works, but results
in additional useless empty messages being sent and two different
encryption UIs in one application which is really confusing for some
users. Neither of these two UIs is as good as the rest of Pidgin's UI. I
think that before either or both of these plugins can be included
natively, their UI should be redesigned.

    XMPP:
XMPP-PGP is documented in XEP 0027 (Current Jabber OpenPGP Usage,
http://xmpp.org/extensions/xep-0027.html ). This XEP only aims to
document the old protocol which is still used. It has been superseded by
RFC 3923 (End-to-End Signing and Object Encryption for XMPP,
http://xmpp.org/rfcs/rfc3923.html ). 

    IRC:
I think I should also mention that IRC has native encryption support
which is called SDCC. I don't know much about it, but I suppose that
it's as ugly as the rest of IRC. I think it shouldn't be implemented
because I hate IRC.


-------- Weitergeleitete Nachricht --------
Von: Christian Franke <cfchris6 at yahoo.de>
An: devel at pidgin.im
Betreff: Re: OTR in Pidgin?
Datum: Thu, 15 Jan 2009 14:02:33 +0100
Mailer: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.8.1.16) Gecko/20080920
Thunderbird/2.0.0.16 Mnenhy/0.7.5.0

On 01/14/2009 12:16 AM, Jens Franik wrote:
> am Dienstag, 13. Januar 2009 um 06:08 schrieb Casey Ho:
> 
>> How do you all feel about including the OTR plugin by default in Pidgin?
> 
> I do not feel the difference to GPG, but i would like to have OTR.
> But  it  should be well migrated and worked out in details, because it
> is a little bit complicated to use right now.

I do not know how GPG over XMPP works in detail, but if this is only
simple encrypted messages, GPG has one big disadvantage in comparison to
OTR: if your OTR private key is compromised, only future sessions will
be compromised, not sessions you already had. With GPG, if the messages
are simply encrypted by the default public key system, when the private
key is compromised, all sessions, both past and future, are compromised.

What I'd like about this is, this would in fact spread OTR, which I
consider a very good e2e encryption, at least for protocols that do not
allow e2e natively.

Also, that might would bring otr to finch.

_______________________________________________
Devel mailing list
Devel at pidgin.im
http://pidgin.im/cgi-bin/mailman/listinfo/devel



More information about the Devel mailing list