[prev in list] [next in list] [prev in thread] [next in thread]
List: otr-dev
Subject: Re: [OTR-dev] Is "Version rollback" attack fixed in 4.0?
From: Ian Goldberg <ian () cypherpunks ! ca>
Date: 2012-05-08 21:53:47
Message-ID: 20120508215347.GD2075 () yoink ! cs ! uwaterloo ! ca
[Download RAW message or body]
On Mon, May 07, 2012 at 04:44:26PM +0000, Ague Mill wrote:
> Hi!
> =
> I am glad to see OTR development (visibly) moving foward again! :)
> =
> From a quick look at commit logs in libotr repository, I have not
> been able to figure out if the future version 4.0 is still vulnerable to
> the "Version rollback" attack that was described in the paper
> "Finite-State Security Analysis of OTR Version 2"=A0[1] by Joseph Bonneau
> and Andrew Morrison.
> =
> [1]=A0http://www.jbonneau.com/OTR_analysis.pdf
> =
> Has this been fixed already? And if it has not, would it be hard to
> prevent two clients to switch back to an earlier version of the
> protocol?
> =
> Thanks,
> -- =
> Ague
I actually wouldn't mind just removing support for v1 entirely. I don't
know of any v1-only clients out there. Does anyone else?
Then it would just be a matter of removing OTRL_POLICY_ALLOW_V1 from the
OTRL_POLICY_OPPORTUNISTIC, OTRL_POLICY_MANUAL, and OTRL_POLICY_ALWAYS
macros in proto.h.
- Ian
_______________________________________________
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic