Otr?

Conor · April 19, 2007, 3:58am

I was wondering, is it ever planned for Off-The-Record messaging to be integrated into Spark?

If Spark included OTR, it would help a lot, because I could then recommend people to use Spark, vs. something such as Gaim or Adium because they are the only two (and even worse, only Gaim for Windows, only Adium for OS X) that have OTR.

bugmenot · April 19, 2007, 4:19am

Actually, I’'ve recently found out that some of our more paranoid users are not using Spark because of the capability to save conversations (i.e. if either party has the history being saved, they are on record).

I’'m sure a number of our users would like an easy way to have encrypted, unsaved conversations that would force both ends to not save the conversations.

Maybe just a padlock icon that then tells the remote end that it’‘s now encrypted and won’'t be saved, or asking the remote user first?

Brad_Mace · April 19, 2007, 1:25pm

Encryption is certainly feasible, but it’'s simply impossible to control what the other end of the connection does with the data, including saving it. If the other end has the ability to display info to the user, it inherently has the ability to save that data, and no protocol can change that.

On the other hand, the logs are just text files, and you’'d probably need info from the server to prove that they were real and not just something someone typed up in wordpad.

Conor · April 19, 2007, 8:24pm

It needs something, whether it’‘s OTR or something else. SSL between the client and server can’'t really be considered as “secure”, can it?

Brad_Mace · April 19, 2007, 8:40pm

SSL is good enough for online banking, so it’‘s nothing to sneeze at. It does assume you trust the server though. If you wanted to communicate with someone over a public/untrusted server then you’'d need a sparkplug that encrypts/decrypts the body of the message

LG1 · April 19, 2007, 9:09pm

Hi,

old SSL and TLS are both secure for the client-2-server connections. The server admin may of course record all messages in plain-text. If you are using a trusted (your own) server and no s-2-s connection you don’'t have to care about security. But I guess that your client does not check that the server certificate is valid when creating a connection to it so you are still far away from OTR.

LG

bugmenot · April 20, 2007, 2:41am

bemace wrote:

it’'s simply impossible to control what the other end of the connection does with the data, including saving it

You’‘re right. Perhaps it could be possible to simply disable the chat history while an OTR conversation is happening. If the user manages to turn it on themselves during the conversation, so be it – most of our users requesting this wouldn’'t know how to do it anyway.

wroot · April 20, 2007, 8:07am

So? OTR messages cant be just copied form the conversation window? Or print screened? Off the record should be eye-to-eye, imho

LG1 · April 20, 2007, 9:02pm

OTR messages cant be just copied form the conversation window?

Or print screened?

Yes, they can. But there’'s no problem as the goal of OTR is … probably best described here: http://www.cypherpunks.ca/otr/

LG