On Wed, Mar 13, 2013 at 4:35 AM, "Daniel ".koolfy" Faucon" <[email protected]> wrote: > It has come to my attention that logs can actually be very harmful for > both parties involved, even if only one of those does log, and that > even encrypted logs are not safe in countries where you can be coerced > into decrypting your volumes (either physically or judicially).
Yep. Logging has risks. However, > - Logging should be deactivated for the entire duration of the OTR > session by *DEFAULT*, and the only way to re-activate it should be on > a per-conversation basis, manually. In the hierarchy of risks out there the number-one-forty-foot-tall-hoking-gorilla risk for users is that they DO NOT USE ENCRYPTION AT ALL. This means that their conversations can be _automatically_ _passively_ _undetectably_ collected and stored forever by _anyone_ with access to the communication channel, with very little cost. It means that their more security savvy friends who would choose to use encryption _cannot_ because their friends don't use it. It means that because encryption is less commonly used it frequently fails to work right which means an active attacker can trivially and without leaving evidence force not-ultra-paranoid encryption users to turn off their encryption just by jamming the crypto. People greatly discount security risks, the harms are distance and non-specific. The attackers are invisible. 99% of the time even high profile targets are not being attacked. All of this has the consequence that when you make authentication or anti-logging more invasive you produce a small benefit for the tiny number of users who meet _all_ of these criteria: * will always use OTR, even it gets in their way * won't get auth or logging right without the change * are exposed to the kind of risks the change addresses (active attackers / log capture) * those risks don't moot the protection (log grabber also installs key logger, active attacker intercepts webpages and gives them trojans) With the risk of discouraging the use of security technology for _everyone_ (including those people). I think almost any reasonable estimate of the relative population and risk sizes results in a conclusion that just about any discouragement is not acceptable. So instead I advocate that increased security take the form of additional alerts and modes that savvier/higher-risk can opt into without making basic cryptographic protection less attractive. For example, don't require disabling logging for OTR— instead add a no-logging mode where both parties, if running compliant software, do not log. (if remote party is hostile this can't help in any case) Let either user in a conversation trigger that mode, and if you turn it back off your chat partner finds out about it. Allow peer partner preferences "require logging off for this party", just like we have for authentication. But for heavens sake, please don't add yet another reason for people to not use OTR at all. _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
