[cryptography] msft skype IM snooping stats & PGP/X509 in IM?? (Re: why did OTR succeed in IM?)

Ian Goldberg iang at cs.uwaterloo.ca
Sun Mar 24 09:28:57 EDT 2013

On Sun, Mar 24, 2013 at 02:03:43PM +0300, ianG wrote:
> Now, from the combined comments of other posters I draw that the key
> factor in OTR's success was that it uses some form of ADH and
> doesn't use persistent public keys at all.  This then allowed an
> immediate startup into secure mode, and consequently a clean and
> usable UI.

That's not the case; OTR does have long-term keys.  If an OTR user
doesn't know about the long-term keys (or indeed may not even realize
he's using OTR at all!), you still get security against passive attacks.
A user who wants to actively authenticate his buddy, however, can do so
either by manually exchanging fingerprints or by engaging in an in-line
shared-secret or question/answer protocol that uses a zero-knowledge
protocol called the Socialist Millionaire's Protocol to determine if
both sides know the same secret (and have the same idea of each others'
session and public keys) without leaking any information, even to an
active adversary, except whether the secrets are the same or not.
Note that the authentication step is once per buddy, not once per

> I can see this working directly peer to peer, because (as I claim)
> the threat is always on the node.  But if the IM world typically
> mediates its messages, or its startup keyex, via servers, this means
> there is one easy place with which to conduct any MITMs -- the
> servers.

Absolutely.  Indeed, many years ago, someone wrote a plugin for ejabberd
(I think it was) that automatically MITM'd OTR traffic.  This just
underscores the importance of doing the authentication step.

But the point is that if you're comparing
OTR-without-knowing-that-OTR-even-exists to no-protection-at-all, the
former is intended to be strictly better.  The MITM would have gotten
your plaintext in the latter case, as well.  On the other hand, if you
*do* know OTR exists, and do run the authentication step, you're
protected against even the MITM.

   - Ian

More information about the cryptography mailing list