arlolra
commented
9 years ago /cc @dgoulet
Closed arlolra closed 9 years ago
arlolra
commented
9 years ago /cc @dgoulet
arlolra
commented
9 years ago
https://lists.cypherpunks.ca/pipermail/otr-dev/2013-November/001991.html
We shouldn't be displaying these strings, https://github.com/arlolra/ctypes-otr/blob/master/chrome/content/otr.js#L710-L715 https://github.com/arlolra/ctypes-otr/blob/master/chrome/locale/en/otr.properties#L13-L14
But this attack might be possible without needing the user to paste the string. The default policy includes
OTRL_POLICY_ERROR_START_AKEwhich seems like it'll get you the opportunity to MITM automatically. Should probably disable that as well, once the usability issues are assessed.