search

otrv4 / pidgin-otrng

Fork of https://bugs.otr.im/plugins/pidgin-otr. This is a mirror of https://bugs.otr.im/otrv4/pidgin-otrng
GNU General Public License v2.0
16 stars 5 forks source link

Be careful sending account name in the clear #70

Closed olabini closed 5 years ago

olabini commented 5 years ago

See https://bugs.otr.im/plugins/pidgin-otr/issues/140

claucece commented 5 years ago

So, this issue refers not when any query message is sent; but rather when it is received and you cannot process it.

In pidgin plugin with OTRv3, this then is shown:

?OTRv23? alice@localhost/ has requested an Off-the-Record private conversation.  However, you do
not have a plugin to support that. See https://otr.cypherpunks.ca/ for more information.

We don't have an error message like that, so we only show:

?OTRv34?

We sometime in the past, talked about adding an error message of the type: Failed to start an Off-the-Record private conversation... is it something to add?

See: src/client.c:284

claucece commented 5 years ago

So, I added an appropriate message for the query message now. I have found other error messages that send the account name in the clear.. should we stop them as well? @olabini

olabini commented 5 years ago

Yes, I think so.

claucece commented 5 years ago

Ok, so the error messages that we send over the wire do not have the account name. However, notifications shown on the conversation window have.. should we remove that?

olabini commented 5 years ago

Hmm, so the notifications are only local, right? In that case it shouldn't be a problem to keep the account names in there. It's only for sending over the wire I want us to be careful.

claucece commented 5 years ago

Yeah, only local @olabini .. then, awesome.. I'll close the issue, as we don't send it over the wire anymore.