[Cryptography] Rubber-hose resistance?

Jon Callas jon at callas.org
Mon Dec 18 02:49:17 EST 2017 


> On Dec 12, 2017, at 12:16 PM, Walter van Holst <walter.van.holst at xs4all.nl> wrote:
> 
> On 2017-12-12 20:42, Matt Maxson wrote:
>>> OTR, you hateful, user-unfriendly pile of  bovine excrement.
>> is there something wrong with otr? or is it just the implementations
>> you don't like? I'm looking to learn more here...not challenge your
>> statement.
> 
> I have yet to see an implementation that doesn't force the user to force a renegotiation of keys when someone that is part of the conversation has had his/her device suspended. Which happens all the time with laptops and mobile devices.
> 
> It also does not allow for a pretty common use case in which at least one side of the conversation switches devices frequently while continuing the conversation.
> 
> Less of a design issue, probably more of an implementation issue is that when both sides enforce OTR but the negotiation somehow fails, there's no way to fix this without both sides dropping OTR.
> 
> Couple the above issues with the use of UX-wise problematic protocls like XMPP and you end up in a situation in which people just drop OTR to make the conversation happen in the first place.

What's the problem with OTR?

I once had a long talk with Ian Goldberg about deniability (which is the topic here) and he said that all he really meant by deniability in OTR was that it wouldn't have *more* linkage than a plaintext log would have. That's fair enough, but the issue as I see it is that people ascribe magical properties to it, as if people wouldn't get a plaintext log and just presume that it's true.

> 
> OTR appears to be designed by people who were thinking in continuous network sessions, not even devices talking to each other, let alone *human beings* having a *human conversation*. Every explanation I have heard so far centered around "plausible deniability". Which is useless. So we have a protocol that's useless from a UX perspective, all for the sake of having "plausible deniability", ergo, being useless.

Well, protocols do not have UX. Implementations have UX. I've seen lots of uses of OTR that had a great UX, which was essentially none.

Now, it *is* designed for continuous network connections, which is why it has issues with mobile devices, but that's not so much a protocol problem as an implementation problem. There's plenty of downstream UX issues, but they're not at all related to the topic of this thread.

	Jon

More information about the cryptography mailing list