[guardian-dev] Fwd: [OTR-users] pidgin OTR leaks presence information to unauthorized people
Nathan of Guardian
nathan at guardianproject.info
Fri Dec 16 10:49:30 EST 2011
We should verify that we don't have the same issue with Gibberbot. I
don't believe we do.
-------- Original Message --------
Subject: [OTR-users] pidgin OTR leaks presence information to
unauthorized people
Date: Fri, 16 Dec 2011 15:33:41 +0100
From: nilclass at riseup.net
To: otr-users at lists.cypherpunks.ca
Hi,
Assume this situation:
Alice and Bob both have an OTR enabled client.
Alice has not approved that Bob may see her presence.
They are both online.
Bob starts a OTR conversation with Alice, sending some junk or whatever.
Now if this weren't a OTR message, there would be no feedback from Alice,
so no way for Bob to figure out whether Alice is currently online.
With OTR enabled, Alice' client automatically performs the OTR handshake,
which tells Bob that Alice is:
1) using a OTR enabled client
2) is currently online
A possible solution would be not to filter messages through
otrl_message_sending/otrl_message_receiving, unless the peer either has a
valid presence subscription or Alice has manually requested/approved the
OTR conversation or Alice has already participated in the conversation.
'()
_______________________________________________
OTR-users mailing list
OTR-users at lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-users
More information about the Guardian-dev
mailing list