Pidgin is a terrible client. It has quite a bit of issues. Their SSL handling is terrible and possible to mitm, I audited the Windows build last August and found known vulnerabilities since 2006 in 2012.. only recently in february that the Pidgin team released a security update..
Avoid using Pidgin at all costs. Over at https://useotrproject.org/ we are busy extending Adam langley's xmpp-client in Go. Creating a security, privacy and aonimity client by default. We hope to have a beta before ohm2013. Op 7 jun. 2013 19:19 schreef "Nadim Kobeissi" <na...@nadim.cc> het volgende: > > On 2013-06-07, at 1:09 PM, Anthony Papillion <anth...@cajuntechie.org> > wrote: > > > On 06/06/2013 07:00 PM, Nadim Kobeissi wrote: > >> Speaking as the lead developer for Cryptocat: > >> OTR.js actually has had some vetting. We're keeping it experimental > simply due to the experimental nature of web cryptography as a whole. It's > a handy library that has had a lot of consideration put into it, but it > really depends on your use case and threat model. If you want to use it to > keep conversations private in moderate situations, go ahead. If you want to > use it to keep conversations private against an authoritarian > regime/sprawling surveillance mechanism, think twice. Overall I find it > really hard to tell whether it's safe enough without knowing your threat > model. For example, if your threat model includes a likelihood of someone > backdooring your hardware, pretty much nothing can help you. > >> > >> If you're considering building your own app and using OTR.js as a > library, I beseech you to be careful regarding code delivery mechanisms and > XSS considerations. Specifically, please use signed browser plugins as a > code delivery mechanism and make sure the rest of your app, including > outside of OTR.js, is audited against XSS, code injection, and so on. Those > kind of threats tend to be far more common than library bugs. > >> > >> NK > > > > Thank you for the excellent feedback on OTR.js. It really clears some > > stuff up and makes me much more confident in the library. > > > > I'm considering using OTR.js as a basis for an OTR plugin for > > Thunderbird chat. I suppose, in theory, people *could* decide to use it > > in life and death situations under sprawling surveillance regimes, I'd > > try to make it clear how unwise this is and provide alternatives. For > > example, I'd point them to Pidgin with its OTR instead. > > I would never suggest Pidgin — Pidgin has never received an audit and is > full of vulnerabilities that the development team is reluctant to fix. > Cryptocat has actually received far more audits than Pidgin, although I'm > not sure how to compare the two since the platforms are totally different. > > NK > > > > > Thanks again! > > > > Anthony > > > > > > -- > > Anthony Papillion > > Phone: 1.918.533.9699 > > SIP: sip:cajuntec...@iptel.org > > iNum: +883510008360912 > > XMPP: cypherpun...@jit.si > > > > www.cajuntechie.org > > -- > > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech >
-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech