Off-the-Record (OTR) Messaging [$1,000]

[wanderer]

There is a $1,000 open bounty on this issue. Add to the bounty at Bountysource.

[Againstreality]

Is the mobile implementation on the way?

[marceloschmidt]

Christian, what's your mobile specs? Have you tested it? It works for a few modern browsers.

Em ter, 15 de mar de 2016 18:07, Christian Schuster < notifications@github.com> escreveu:

Is the mobile implementation on the way?

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/RocketChat/Rocket.Chat/issues/36#issuecomment-197019260

Marcelo Schmidt

[Againstreality]

Its about the apps for Android and ios i personal use an iphone 5s with ios 9.2.1

[marceloschmidt]

It should be working with latest androids and with ios 9.2.1. Have you tested it?

[Againstreality]

yes is have testet it. And the option is not there. Maybe it was forgotten in the cordova Code?

[marceloschmidt]

@Againstreality can you please open an issue, then? Please state your server version, mobile version, and screenshots of your problem. Thanks.

[engelgabriel]

Hi @jespow have you been following the development of this feature? Do you have any comments on the current implementation?

[pkaluzacog]

Since the advantages of the Axolotl ratchet in a more-than-desktop-chat world have been mentioned already, count me among the supporters. At the same time I'd like to give a shout out to the OMEMO ratchet and protocol, which brings even more security and user convenience.

[ccoenen]

I also believe OMEMO would be the standard to back instead of (or perhaps on top of) OTR. There's implementations in

• Signal Protocol Java (where it originally comes from, in form of the aforementioned Axolotl, Java)
• Signal Desktop which integrates https://github.com/WhisperSystems/libsignal-protocol-javascript (JavaScript!)
• Conversation (actually OMEMO, Java)

probably a good starting point even though some of it is Java.

(edit) I found the XEP: https://conversations.im/xeps/multi-end.html

[electropolis]

Did something changed here? As I see that in Rocket.Chat OTR function gives me Timeout and it's even not a good option for securing messages during conversation as I read all comments here.. I see you are working on alternative solution. Is there any progress ?

[thche]

push

[C3realGuy]

OMEMO encryption would be awesome.

[ghost]

Right now riot.im/app is working with Double Ratchet Algorithm (encryption works with multiple participants, and with offline messages) https://github.com/matrix-org/olm https://github.com/vector-im/riot-web/search?utf8=%E2%9C%93&q=olm&type=Code

I'm not good developer but seems that in terms of backend it's easy. But in frontend we will require:

• A way to see the keys (riot app uses read source of message).
• A way to check keys of the other participants
• A manual method to import/export key (in case you destroy cookies/use different browser/client you won't see previous or offline messages). -> This is not available in riot app
• [Your thought here]

[graingert]

Mention notifications can be done by sending a DM with special markup to the mentioned users

[graingert]

Eg the client that sends the mentioned tagged message in a grpup uses the DM channels to push notifications

[dmkjr]

Any update on this? I'm just getting a "timeout" error when attempting to use it.

[ShalokShalom]

Seems like we can build up on this? https://github.com/RocketChat/Rocket.Chat/blob/master/packages/rocketchat-otr/client/rocketchat.otr.room.js

[0xdevalias]

FWIW, I would love to see the olm double ratchet that matrix is using (based off the one signal uses from memory) implemented

[ccoenen]

@mitar is the paper you mentioned available somewhere? You mentioned it being in review a year ago - and it sounds very interesting!

Also: Thanks for your very detailed descriptions.

[mitar]

Sadly, not. We had issues finding research novelty in that work. It was mostly engineering work, which is not what academic papers should be about, it seems. :-(

[tompinzler]

+1 for Olm Double Ratchet. It's certainly challenging to implement but would imho provide the most features (one-on-one and group conversations, partial forward secrecy etc.) and best user experience.

[napalm23zero]

Any news? Anything? Anyone? I can see OTR option on my self-hosted Rocket.Chat, but not working.

[geekgonecrazy]

Make sure you are using https

[geekgonecrazy]

Our implementation of e2e encryption has a PR open: #10094

Would be great to get some feedback on that PR.

[PanderMusubi]

You can add this line at the top of the issue description, it will update itself

![badge](https://api.bountysource.com/badge/issue?issue_id=18684038)

and look like

[ghost]

Bounty still open?

[sscotth]

It is still listed on BountySource, but #10094 was released with v0.70.0. So I assume it has not been claimed yet. Either way this issue should be closed.

@mrinaldhar @geekgonecrazy @wanderer @jespow

[ccoenen]

Is that pull request really OTR, though? From the commits alone I can't tell. E2E and OTR are very different things.

[geekgonecrazy]

@RocketChat/core can someone address the concerns here.

Technically OTR has been in for a while. Now we have E2E encryptions with #10094

Does this issue need to stay open for some specific tasks for OTR? Maybe refactoring OTR to go on top of the e2e?

cc: @engelgabriel

[sscotth]

https://github.com/RocketChat/Rocket.Chat/issues/36#issuecomment-107080470

Off-the-Record (OTR) Messaging

Allows you to have private conversations over instant messaging by providing:

Encryption

No one else can read your instant messages.

Authentication

You are assured the correspondent is who you think it is.

Deniability

The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

Perfect forward secrecy

If you lose control of your private keys, no previous conversation is compromised.

[sscotth]

@LemonAndroid I don't think the issuer is responsible for submitting the completion claim.

[Neustradamus]

Any news on it?

[gustavorps]

Bountysource decided to update their Terms of Service:

2.13 Bounty Time-Out. If no Solution is accepted within two years after a Bounty is posted, then the Bounty will be withdrawn and the amount posted for the Bounty will be retained by Bountysource. For Bounties posted before June 30, 2018, the Backer may redeploy their Bounty to a new Issue by contacting support@bountysource.com before July 1, 2020. If the Backer does not redeploy their Bounty by the deadline, the Bounty will be withdrawn and the amount posted for the Bounty will be retained by Bountysource.

https://www.bountysource.com/issues/18684038-off-the-record-otr-messaging

[HLFH]

@gustavorps Withdrawn. https://twitter.com/Bountysource/status/1273406549252177920 But RocketChat needs to migrate to another bounty platform.