weechat-otr icon indicating copy to clipboard operation
weechat-otr copied to clipboard
verified publisher icon mmb

Do not encrypt CTCP TYPING messages

Open raspbeguy opened this issue 9 years ago • 6 comments

Hello, I use OTR in weechat to talk to friends on XMPP, so I use a Bitlbee gateway. I also uses a script that sends CTCP TYPING messages to bitlbee which will translate it to the common "typing" status in XMPP, but also in other protocols. The problem is that even the CTCP TYPING message is encrypted, so bitlbee is unable to translate it and thinks it is a regular message, so my friends receive an weird message each time I type something. Would it be doable to make your script not encrypt CTCP TYPING notifications ? Thanks.

raspbeguy avatar Mar 18 '17 10:03 raspbeguy

If we did not encrypt CTCP TYPING it would leak some information and would be a surprise to users who expect their entire session to be encrypted.

We could potentially add an option to either:

  • not send CTCP TYPING so the other party would not see weird messages
  • convert the CTCP message to plain text so the other party would see "user is typing" as a normal message

There was a thread on otr-dev about this issue:

https://lists.cypherpunks.ca/pipermail/otr-dev/2012-December/001522.html

mmb avatar Mar 20 '17 04:03 mmb

Why wouldn't this option propose not to encypt this CTCP message ? If you see a security leak (which I don't), you can disable it by default, and put a warning in documentation/option description/whatever. Because blocking all CTCP TYPING message isn't satisfying and converting it in plain text is very ugly. If you don't want to put it in mainstream, at least tell me how to tweak the script for myself, because I need this feature.

raspbeguy avatar Mar 20 '17 07:03 raspbeguy

I haven't tested this but you could try adding this to the message_out_cb function:

After:

        # skip processing messages to public channels
        if parsed['to_channel']:
            return string

Add:

        if re.match('\x01TYPING [01]\x01$', parsed['text']):
            return string

mmb avatar Mar 23 '17 04:03 mmb

I am still not convinced that starting to introduce regexp matching for forced cleartext messages is a good idea.

Or if we do that, we should probably go hunt for all non-message exchanges that XMPP allows, and exempt them one by one, which might be painful given all possible protocol extensions.

@mathieui how is this handled on poezio?

koolfy avatar Mar 23 '17 08:03 koolfy

@mmb thank you for the code snippet. @koolfy the problem is that the CTCP signal is unknown on the XMPP protocol so, because it cannot be interpreted by the bitlbee gateway, it is sent directly to the jabber user, who can decrypt it for sure, but whose client cannot do anything about it because it doesn't know what it is. So if you use a XMPP client on both side, there is no problem.

raspbeguy avatar Mar 23 '17 08:03 raspbeguy

@raspbeguy Did you have a chance to give it a try? Did it work?

mmb avatar Mar 31 '17 05:03 mmb