Nadim's reply is much better just linking to the otr.js author's own warning.
I'd like to reiterate the importance of code delivery. I've seen a couple dozen of attempts to do crypto via server-hosted Javascript. All of these reduced to trusting whomever is serving the code. This issues have been covered many times, most prominently by Matasano Security: http://www.matasano.com/articles/javascript-cryptography/ Anthony, it sounds like you're aware of the issues and planning to develop code that will be installed and executed on the client, i.e. a plugin for Thunderbird chat. On Thu, Jun 6, 2013 at 5:00 PM, Nadim Kobeissi <na...@nadim.cc> wrote: > Speaking as the lead developer for Cryptocat: > OTR.js actually has had some vetting. We're keeping it experimental simply > due to the experimental nature of web cryptography as a whole. It's a handy > library that has had a lot of consideration put into it, but it really > depends on your use case and threat model. If you want to use it to keep > conversations private in moderate situations, go ahead. If you want to use it > to keep conversations private against an authoritarian regime/sprawling > surveillance mechanism, think twice. Overall I find it really hard to tell > whether it's safe enough without knowing your threat model. For example, if > your threat model includes a likelihood of someone backdooring your hardware, > pretty much nothing can help you. > > If you're considering building your own app and using OTR.js as a library, I > beseech you to be careful regarding code delivery mechanisms and XSS > considerations. Specifically, please use signed browser plugins as a code > delivery mechanism and make sure the rest of your app, including outside of > OTR.js, is audited against XSS, code injection, and so on. Those kind of > threats tend to be far more common than library bugs. > > NK > > > On 2013-06-06, at 7:49 PM, Steve Weis <stevew...@gmail.com> wrote: > >> The status is: >> "[otr.js] hasn't been properly vetted by security researchers. Do not use in >> life and death situations!" >> https://github.com/arlolra/otr#warning >> >> On Thu, Jun 6, 2013 at 3:14 PM, Anthony Papillion <anth...@cajuntechie.org> >> wrote: >> > I'm thinking about working on a web app that would use otr.js to >> > enable OTR chat via the way (probably similar to Cryptocat). Does >> > anyone know what the security status of otr.js is? Has it been vetted? >> > If not, what is the recommended (vetted) Javascript way of doing OTR? >> -- >> Too many emails? Unsubscribe, change to digest, or change password by >> emailing moderator at compa...@stanford.edu or changing your settings at >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
