Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Off-the-Record (OTR) Messaging [$1,000] #36

Closed
wanderer opened this issue May 29, 2015 · 84 comments
Closed

Off-the-Record (OTR) Messaging [$1,000] #36

wanderer opened this issue May 29, 2015 · 84 comments
Assignees
Labels
Milestone

Comments

@wanderer
Copy link

There is a $1,000 open bounty on this issue. Add to the bounty at Bountysource.

@charlieman
Copy link

You mean beyond https?

@wanderer
Copy link
Author

it would be nice if it has some OTR for direct messaging

@sampaiodiego
Copy link
Member

the idea of OTR implies in not saving the message on db?

@engelgabriel
Copy link
Member

Off-the-Record (OTR) Messaging

Allows you to have private conversations over instant messaging by providing:

Encryption

No one else can read your instant messages.

Authentication

You are assured the correspondent is who you think it is.

Deniability

The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

Perfect forward secrecy

If you lose control of your private keys, no previous conversation is compromised.

@engelgabriel engelgabriel changed the title Does it Encrypt Messages? Off-the-Record (OTR) Messaging May 30, 2015
@kumavis
Copy link

kumavis commented Jun 1, 2015

I don't know if this implementation has been audited or not but https://github.com/arlolra/otr

@Calinou
Copy link
Contributor

Calinou commented Jun 2, 2015

Warning

This library hasn't been properly vetted by security researchers. Do not use in life and death situations!

@kumavis
Copy link

kumavis commented Jun 2, 2015

And further reading on the state of otr arlolra/otr#59

@comigor
Copy link

comigor commented Jun 3, 2015

I think otr is the best option we have, audited or not, cryptocat uses it.

As said on arlolra/otr#59, pointed by @kumavis, just few other implementations are available, and otr4-em and node-otr4 aren't well compatible with Meteor, because we can't use client-side node packages.

@comigor
Copy link

comigor commented Jun 3, 2015

It's indeed very easy to implement OTR using arlolra/otr.
Just made a simple PoC Igor1201/otr.

@engelgabriel
Copy link
Member

Looks like this feature has more people interested than I expected. I'll raise its priority. 👍

@engelgabriel engelgabriel added this to the v1.0 milestone Jun 3, 2015
@engelgabriel
Copy link
Member

Can any of you guys do a Pull Request or create a fork with a proposed implementation?

@engelgabriel
Copy link
Member

Hi @Igor1201 can we work together to get your PoC to work on Rocket.Chat?

@engelgabriel
Copy link
Member

See #268

@rodrigok rodrigok modified the milestones: v1.0, Next Aug 15, 2015
@marceloschmidt marceloschmidt modified the milestones: Roadmap, Next Sep 21, 2015
@taoeffect
Copy link

Problem with OTR is that it only works while both users are online.

I recommend using Axolotl instead, developed by Open WhisperSystems of TextSecure/Signal fame. It's like OTR but it supports secure asynchronous messaging, which is important because it's rare that everyone is online all the time. :)

There are lots of Axolotl libraries out there, available for both iOS, Android, and Web.

@kdar
Copy link

kdar commented Oct 30, 2015

I agree with @taoeffect. OTR isn't optimal here.

@taoeffect
Copy link

FYI, this feature, regardless of how you implement it, really only makes sense for DMs (for now). Encrypting group conversations is extremely difficult, and with today's tech it would result in most of the other features of RocketChat having to be removed (like search).

@ccoenen
Copy link

ccoenen commented Sep 7, 2017

@mitar is the paper you mentioned available somewhere? You mentioned it being in review a year ago - and it sounds very interesting!

Also: Thanks for your very detailed descriptions.

@mitar
Copy link
Contributor

mitar commented Sep 7, 2017

Sadly, not. We had issues finding research novelty in that work. It was mostly engineering work, which is not what academic papers should be about, it seems. :-(

@tompinzler
Copy link

+1 for Olm Double Ratchet. It's certainly challenging to implement but would imho provide the most features (one-on-one and group conversations, partial forward secrecy etc.) and best user experience.

@napalm23zero
Copy link

Any news? Anything? Anyone?
I can see OTR option on my self-hosted Rocket.Chat, but not working.

@geekgonecrazy
Copy link
Member

Make sure you are using https

@sampaiodiego sampaiodiego added Feature: Planned Planned Feature and removed Feature: Planned Planned Feature labels Mar 29, 2018
@geekgonecrazy geekgonecrazy added Feature: Planned Planned Feature and removed Feature: Request Requested Feature labels Apr 4, 2018
@geekgonecrazy
Copy link
Member

Our implementation of e2e encryption has a PR open: #10094

Would be great to get some feedback on that PR.

@PanderMusubi
Copy link

You can add this line at the top of the issue description, it will update itself

![badge](https://api.bountysource.com/badge/issue?issue_id=18684038)

and look like

badge

@ghost
Copy link

ghost commented Oct 8, 2018

Bounty still open?

@sscotth
Copy link

sscotth commented Oct 9, 2018

It is still listed on BountySource, but #10094 was released with v0.70.0. So I assume it has not been claimed yet. Either way this issue should be closed.

@mrinaldhar @geekgonecrazy @wanderer @jespow

@ccoenen
Copy link

ccoenen commented Oct 9, 2018

Is that pull request really OTR, though? From the commits alone I can't tell. E2E and OTR are very different things.

@geekgonecrazy
Copy link
Member

geekgonecrazy commented Oct 9, 2018

@RocketChat/core can someone address the concerns here.

Technically OTR has been in for a while. Now we have E2E encryptions with #10094

Does this issue need to stay open for some specific tasks for OTR? Maybe refactoring OTR to go on top of the e2e?

cc: @engelgabriel

@sscotth
Copy link

sscotth commented Oct 9, 2018

#36 (comment)

Off-the-Record (OTR) Messaging

Allows you to have private conversations over instant messaging by providing:

Encryption

No one else can read your instant messages.

Authentication

You are assured the correspondent is who you think it is.

Deniability

The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

Perfect forward secrecy

If you lose control of your private keys, no previous conversation is compromised.

@sscotth
Copy link

sscotth commented Oct 9, 2018

@LemonAndroid I don't think the issuer is responsible for submitting the completion claim.

bhardwajaditya pushed a commit to bhardwajaditya/Rocket.Chat that referenced this issue Sep 30, 2019
@Neustradamus
Copy link

Any news on it?

@gustavorps
Copy link

gustavorps commented Jun 18, 2020

Bountysource decided to update their Terms of Service:

2.13 Bounty Time-Out.
If no Solution is accepted within two years after a Bounty is posted, then the Bounty will be withdrawn and the amount posted for the Bounty will be retained by Bountysource. For Bounties posted before June 30, 2018, the Backer may redeploy their Bounty to a new Issue by contacting support@bountysource.com before July 1, 2020. If the Backer does not redeploy their Bounty by the deadline, the Bounty will be withdrawn and the amount posted for the Bounty will be retained by Bountysource.

https://www.bountysource.com/issues/18684038-off-the-record-otr-messaging

@HLFH
Copy link

HLFH commented Jun 18, 2020

@gustavorps Withdrawn. https://twitter.com/Bountysource/status/1273406549252177920
But RocketChat needs to migrate to another bounty platform.

@tassoevan tassoevan added stat: triaged Issue reviewed and properly tagged and removed Triaged labels Oct 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests