arlolra / ctypes-otr Goto Github PK
View Code? Open in Web Editor NEWjs-ctypes wrapper for libotr
License: Mozilla Public License 2.0
js-ctypes wrapper for libotr
License: Mozilla Public License 2.0
Now that #3 is closed.
What about quote
and notice
?
Or if it can't (via whitespace tags or unresponded query message).
Some applications,
The tooltip text for the padlock icon says "Not private", "Unverified", and "Private".
These should be changed to something that is more verbose, so that the user knwos that the current conversation is being talked about:
"Conversation is NOT private"
"Conversation is PRIVATE, but contact $FOO is unverified"
"Conversation is PRIVATE and contact is verified"
I agree that tooltips should not be long but simply saying "not private" or "private" doesn't help. Since we display the change of security in the conversation, what do you think about using the same message for the tooltip or is that short on purpose (which is also understandable)?
Are we differentiating between private and private and verified conversations? Once a user has verified a contact, can we indicate that in the UI without the user having to click the padlock icon to check it?
The message for the status of the conversation which is not over OTR is:
The privacy status of the current conversation is: Not private
Can we reword this? How about something like:
The current conversation is NOT private
Or something related. Just a suggestion; feel free to close the ticket if you think the current one is fine.
Conversation not bound to the window yet? To be investigated.
https://lists.cypherpunks.ca/pipermail/otr-dev/2013-November/001991.html
We shouldn't be displaying these strings,
https://github.com/arlolra/ctypes-otr/blob/master/chrome/content/otr.js#L710-L715
https://github.com/arlolra/ctypes-otr/blob/master/chrome/locale/en/otr.properties#L13-L14
But this attack might be possible without needing the user to paste the string. The default policy includes OTRL_POLICY_ERROR_START_AKE
which seems like it'll get you the opportunity to MITM automatically. Should probably disable that as well, once the usability issues are assessed.
After starting a conversation over OTR, the sequence of messages is:
The last message is a bit unclear. Can we make it better by saying something like "The conversation is private but the contact is unverified." Something along these lines that tells the user that their conversation is private but the identity of the person they are chatting with has not been verified.
"Private (but unverified) conversation started..."
"Private conversation started with unverified contact."
You get the idea.
When starting a conversation with a contact who is not using OTR, the message is:
2:41:23 pm - The current conversation is not private.
2:41:26 pm - You attempted to send an unencrypted message to sukhe. Unencrypted messages to this recipient are not allowed. Attempting to start a private conversation. Your message will be retransmitted when the private conversation starts.
I think we can word this better. Specifically, saying "Unencrypted messages to this recipient are not allowed" makes it seem like that this specific contact is the issue and not the fact that unencrypted conversations are not allowed as a policy.
A possible suggestion:
You attempted to send an unencrypted message to sukhe. This contact does not support encrypted communication and Tor Messenger does not allow unencrypted messages to be sent.
And then, in a separate message which follows (on a new line):
Attempting to start a private conversation. Your message will be retransmitted when the private conversation starts.
Something along these lines...
A trailing newline consistently produces some OTR scramble on the sending side. An artifact of buffering most likely. Reproduced with shift+enter
.
10:28:23 AM - flo-retina: arlolra: so the general idea is that accounts are not tied to identities.
10:28:43 AM - flo-retina: there's an imIUserStatusInfo http://mxr.mozilla.org/comm-central/source/chat/components/public/imIUserStatusInfo.idl#13 instance for each identity
10:29:18 AM - flo-retina: each account is attached to an identity: http://mxr.mozilla.org/comm-central/source/chat/components/public/imIAccount.idl#317
10:29:29 AM - flo-retina: and there's a global identity used as a fallback
10:30:17 AM - flo-retina: the global one is at http://mxr.mozilla.org/comm-central/source/chat/components/public/imICoreService.idl#28
10:31:32 AM - flo-retina: I think having the same fingerprint for several accounts could potentially enable interesting things, like starting an encrypted conversation on one IM network and continuing on another one
After a contact has been authenticated using the fingerprint verification, we display this text:
The current conversation is private.
Which may be slightly confusing for the end user because s/he may think that all this while, the conversation was not private. Can we reword this, perhaps like:
You have verified arlolra's identity.
This sounds weak but you get the idea. I had be happy to discuss this further.
Pidgin says, "Attempting to start a private conversation with contact..."
Sorry if you don't want discussions/questions placed here, some projects are fine with it others hate the idea; I have no idea where your's falls.
But I hope this does get merged back into the Instant Bird master branch when it's finished. I'd love to ditch Pidgin, it's just the lack of an OTR plugin that prevents me.
This can be done by manually copying otr.*
files into the profile folder (see https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger/FAQ#WherearemyOTRkeysstoredHowcanIpreservethemacrossupdates), but making it easier would be nice.
Instead of a modal dialogue, let's interrupt the user less by using a notification bar.
Once a new OTR session is established, there is this nice obvious black line
at the top asking you to verify which I think is awesome. However, if auth
fails, this line disappears and it's not very obvious to use the "lock" at
the top to get a button to verify.I would suggest to keep that annoying black line as long as the contact has
not been verified (even on failure) except if the "X" to close it has been
pressed.
/cc @dgoulet
Meh
I tried to have a conversation w/ someone who doesn't have OTR. I clicked the "Start private conversation", the other user received the text about not supporting OTR...but I kept sending them private stuff until I closed the conversation...and maybe even after that.
For private (and not private) conversations, currently, we display the texts "Private" and "Not private". Ideally, we should put a padlock next to them that denotes the state of the conversation, or replace the text altogether.
This'll be more apparent then a system message. See conversation.xml
The UI for manual fingerprint verification looks like:
Perhaps we can redesign this?
"I have verified that this is in fact the correct fingerprint" [Dropdown]
The dropdown options will be "Yes" and "No". Somehow I feel that this is more natural that saying "I have" and "I have not" and the options being in the front of the text.
(Feel free to ignore this.)
After the contacts have been verified, the dialog box says "Cancel". It should say either "Done" or "OK".
Pidgin-otr does this by default.
Have a binding to use "otrl_message_disconnect()"
In some places, we say authenticate contact, and in other places we say verify contact.
For example, the notification bar says:
User has not been authenticated yet. You should authenticate this contact.
And then there is a button below it that says Verify.
While the message says "Private, but unverified, conversation with user started." (See #17. Suggested message also says "verified").
We should use one of these words -- either authenticate or verify -- consistently, so as to not confuse the user.
Messages are sent out but not displayed. The worst of both worlds.
When opening the preferences window, select the key corresponding to the conversation (account) from which it was called.
The fingerprints in the "Authenticate contact" dialog box should be in text that the user can copy. Currently, they are labels and therefore cannot be copied.
Sometimes seeing select() error: Interrupted system call
in VMs.
Google points to https://lists.cypherpunks.ca/pipermail/otr-users/2005-June/000310.html
apt-get install haveged
is a workaround for now.
Set a better default than,
?OTRv23? [email protected] has requested an Off-the Record private conversation. However, you do not have a plugin to support that. See http://otr.cypherpunks.ca/; for more information.
X starts a conversation with Y for the first time and sees the notification bar to authenticate Y. X ignores it, carries on the conversation and closes the window.
X then again starts the conversation with Y. This time though, there is no notification bar that nudges X to verify Y.
Is that intentional and we only show the bar the first time X will talk with Y?
Leaving the text box blank for shared secret/answer works and the authentication is successful. This should probably be not allowed.
Searching around in the add-ons section for this is not obvious.
/cc @dgoulet
Title says it all.
Cleanup isn't so smooth.
Private, but unverified, conversation with $USER started.
I think the distinction is that the conversation is encrypted but the contact is unverified. In this context, I am not sure what a user will think of with an "unverified" conversation. Can we reword this?
Private conversation with unverified $USER started.
Perhaps? Sorry for nitpicking. I know this can't be explained in one line but I discussed this with another user and she was also of the opinion that since we are saying authenticate contact in the notification bar, it's better to say that the user is unverified rather than the conversation.
It should:
Two users, X and Y. With X, I initiate an authentication request using shared secret.
The message in X's window after a successful authentication is:
You have verified X's identity.
The message in Y's window is:
You have verified Y's identity.
But, X has verified the identity of Y, and Y still has not verified X. The messages should be:
(In X):
You have verified Y's identity.
(In Y):
X has verified your identity. You should do the same with her.
(Sorry if this is not clear.)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.