

Firefox add-on to add OTR encryption to web-based chats - pesco
http://lists.cypherpunks.ca/pipermail/otr-dev/2011-June/001183.html

======
zitterbewegung
I wish I had more friends that would actually use OTR...

~~~
gnaffle
I think the biggest problem is client support, and that some people prefer
using multiple devices for chat, including web based services (GMail, Facebook
Chat etc).

Even with Jabber where you can have separate resources, it's not possible to
have some clients use OTR and some not (with good reason, I guess), so you
either have to add a separate, non-OTR account, or get used to turning OTR on
and off manually. And I'm still looking for an iPhone Jabber app with OTR
support.

~~~
mike-cardwell
I have a solution to this problem. For all of my IM'ing I use several IRC
clients. I point them all at a single Bitlbee server which gates from IRC to
various IM networks. I use the Bitlbee OTR plugin and assign each network its
own OTR key. So no matter what IRC client I am using, I always have the same
OTR key.

------
mike-cardwell
Related to this. Some of you may remember "Kik" being launched last year.
There were quite a few discussions about it here. Anyway, I set up an OTR
feature request on their GetSatisfaction page a while ago. If you're using Kik
and want OTR support, vote it up:

[http://getsatisfaction.com/kik/topics/otr_for_private_conver...](http://getsatisfaction.com/kik/topics/otr_for_private_conversations)

I also set up one calling for SSL at the same time:

[http://getsatisfaction.com/kik/topics/secure_kik_with_encryp...](http://getsatisfaction.com/kik/topics/secure_kik_with_encryption)

That ones been implemented now though. Kik 5.0 came out a little over a month
ago and had SSL support, but didn't do certificate verification. Kik 5.1 came
out a few days ago and now finally has working certificate verification.

------
aw3c2
I want this for general posts on Facebook!

~~~
mike-cardwell
OTR is only suitable for real time communication. For posting messages on
facebook (as for email) you would use PGP. This used to be possible using
Firefox with the FireGPG Addon, but the developer stopped working on it and a
release wasn't even made for Firefox 4.

FireGPG was brilliant. It would detect blocks of PGP in the page, and add
"Decrypt/Verify" links to the appropriate place in the page, and would let you
easily encrypt/sign data. I can't believe nobody took over development. I keep
meaning to learn how to write Firefox addons specifically so I can take up
this project, but I haven't found the time.

~~~
eru
But PGP gives the wrong guarantees.

~~~
mike-cardwell
Yes and no. Depending on what "guarantees" you're looking for.

~~~
eru
If the author of the root comment wants something like "OTR for Facebook" they
probably wouldn't like the guarantees that PGP gives.

But Facebook and privacy don't mix anyway.

------
click170
I don't like that OTR allows the person your talking with to deny that they
said something they said. I'd rather have pgp signed/encrypted chat so I can
prove who said what.

I may be misunderstanding but I think OTR sends the encryption keys with the
chat (to accomplish deniability), and while this means your text isn't
transmitted in plaintext, it may as well be. Im open to being proven wrong
though.

~~~
gnaffle
You're misunderstanding, OTR isn't equivalent to plain text at all. For a good
introduction to the details, see the CodeCon presentation on the website
(<http://www.cypherpunks.ca/otr/>).

The encryption keys are not sent with the chat, they're generated using DH key
exchange. After a conversation is finished, others may forge messages to make
them look like they came from you, but they cannot read the messages you
originally sent. This gives you plausible deniability, which is what you want
in most use cases (if you don't, then you're right that PGP is a better
option).

The key exchange is susceptible to a man in the middle attack, which can be
prevented by comparing fingerprints using a separate communication channel.
Once compared, all future conversations should be impossible to intercept. If
your private keys are ever found (a TSA official steals your laptop), they'll
be unable to decrypt past conversations. Unless you've left conversation
logging on in your chat client, of course.

I never thought much about using OTR until i logged into GMail and discovered
reams and reams of OTR conversations stored in the chat logs. I never used the
GMail Chat client, and this was a real eye-opener for me. Had I not been using
OTR, Google would have stored a couple of years worth of conversations between
my friends and kept them forever.

By the way, ZFone / ZRTP (<http://zfoneproject.com/>) is a protocol using
similar ideas, but for VoIP calls.

