Hi Thibault,
intrigeri@??? wrote (08 Oct 2013 09:27:56 GMT) :
> as you are surely aware of, it's been known [1] since 2006 that
> clients supporting both OTRv1 and v2 (such as libotr 3.x) are subject
> to protocol downgrade attacks clients. It's also been known for
> a while that OTRv1 has serious security issues (that were the main
> reason for a v2, actually). In short, support v2 only is the only safe
> way to go these days.
> [1] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.7945
> It took a while to obsolete older v1-only software, and another while
> to complete the libotr 4.x transition and get to a sane state in
> Debian testing. Now, I think the time has come when we can reasonably
> expect v2-only to work for everyone.
> I think that the only reasonable course of action from now on is to
> patch libotr in stable and oldstable to only support OTR v1.
(s/v1/v2/ in the last sentence, obviously.)
Ping? If you have no time to take care of that, fair enough, but then
I would really appreciate to read your general opinion on the matter,
even if it's a simple "please go ahead and NMU". Thanks in advance!
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
