Plaintext negotiation during OTR handshake reveals email address

[cha0s]

Since the 'username' used for discord is the email address, this information is disclosed when negotiating an OTR connection. This should be fixed, somehow. Seems discord_create_fullname is one way this could be done. I would appreciate any guidance on how to accomplish this!

[EionRobb]

It looks like the OTR plugin pulls this directly from the purple_account_get_username() call which is where we pull the email address for auth too, and where a lot of UI expects the username field to be, to use as the unique ID for all settings to be stored against.

Workarounds could be:

• In the Discord plugin, to add an extra 'Advanced' tab setting for the login email address, and use this if it exists instead of the username Would need some magic to migrate accounts from the email address username to a 'secure' username The idea of multiple fields for username entry has been found to be confusing for people who use IRC, for example ** This wouldn't help for other protocols that use an email address for auth, with the OTR plugin
• In the OTR plugin, add an additional field to customise the account name that gets passed to otrl_proto_default_query_msg

As the 'username' in Pidgin/libpurple is more of an internal field (eg, for some protocol plugins that use the "user splits" feature it could be a hybrid of emails and servers and config), I feel like this is something more suited to the OTR plugin to solve, but happy to discuss

[cha0s]

Thank you for the thoughtful response! I opened a report here: https://bugs.otr.im/plugins/pidgin-otr/-/issues/156 but I have to say that I am not very optimistic about this being implemented as the last commit on that project appears to have been 2 years ago :(

Much appreciate the time you took to dig in on this a little bit! I will close this issue as I'm not sure there's a satisfactory solution to be achieved here.

[EionRobb]

To the OTR plugins credit, their plugin has been rock-solid and hasn't really needed an update, which might be why there hasn't been any commits lately. Private information leaks would be fairly important to them, I imagine, so hopefully this prompts them to make a change.

That said, I'm not completely against making changes in the Discord plugin if it would help - I don't want to be leaking any sensitive information to other people if there's any way we can avoid it.

Please feel free to re-open this issue if you can come up with a way that we can workaround the leakage in the plugin, or if you get no response from the OTR guys.