-
jubalh
hi
-
jubalh
another question about OMEMO :) If I understand the XEP right one should encrypt the key and the GCM tag. Looking at dinos implementation it only seems to encrypt the key not the tag. Whats right?
-
Syndace
Interesting catch, I'm curious how dino is even able to talk to the other clients then
-
Syndace
Pretty sure encrypting the tag is the right way and all other clients do so as well
-
flow
jubalh, do you have a link/pointer to the relevant part of dino's implementation?
-
jubalh
Well, I'm not totally sure about it, but I think its this: https://github.com/dino/dino/blob/6de86c2733a26eb5034087ab25205ba1cba1e279/plugins/omemo/src/trust_manager.vala#L73
-
jubalh
Syndace, flow ^
-
Syndace
jubalh: Are you talking about "add_encryption_tag_to_message"?
-
Syndace
In line 153?
-
flow
which appears to be just the EME extension element (/tag)
-
jubalh
ahh so it does get encrypted?
-
jubalh
too many xeps to read :)
-
jubalh
Syndace, but thats not the gcm tag right?
-
flow
Syndace, no, it is a tag in the sense of XML
-
Syndace
Tag means XML-Tag there, it's just a little confusion
-
flow
err, jubalh ^
-
jubalh
so the gcm tag isnt encrypted if i see it right
-
l
jubalh, flow: This behavior changed in OMEMO. The original version would put the gcm tag to the ciphertext (this way it doesn't qualify for authenticity, but at least as a checksum), later the behavior was changed to encrypt the gcm tag to each device (so we get real authenticity as the per-device encryption is also signed). All clients support decrypting the old version, but for some time, some clients lacked support for decrypting the new version. Dino support decrypting both, but still encrypts using the old protocol. We should definitely change to the new version and there already is an issue for it https://github.com/dino/dino/issues/514 ;)
-
jubalh
l, awesome thanks for clarifying this!
-
Syndace
l, anywhere I can read up on the details? I have the same problem that my lib works with all clients but Dino.
-
Wiktor
Hello, I've got a question about "OTR has widely been replaced by OMEMO in the XMPP network and is recommended to be used instead." that is on https://wiki.xmpp.org/web/OTR It seems it's not clear what is recommended there and I think some draw the conclusion that it's OTR that is recommended (see: https://github.com/golang/go/issues/30141#issuecomment-467913000 ). I'm not a native speaker but what do you think about improving it so that the intent is clear?
-
dwd
"OTR is no longer the recommended way to wreck your user experience in return for some badly-understood security. Use OMEMO instead"?
-
jonas’
dwd, +1
-
pep.
that
-
Wiktor
dwd, 👍️. sounds unambiguous
-
Wiktor
just to show you the context: quote "in the XMPP world, the OTR protocol is still used as the standard secure messaging protocol" on https://github.com/golang/go/issues/30141#issuecomment-462031961
-
Ge0rG
[Redirect to:OMEMO]
-
MattJ
Wiktor, http://omemo.top/
-
Wiktor
I know I know, but apparently some people don't, I already commented on the GH ticket but the OTR guys took the quote from XMPP wiki as a recommendation *for* OTR
-
Wiktor
that's... I think... sub-optimal
-
jonas’
Wiktor, don’t you have +w on the wiki?
-
Wiktor
oh, wait, I do have it 🤔️ I hope it doesn't look weird if I say "even XMPP wiki recomends" and then write the recommendation myself :)
-
jonas’
hah
-
jonas’
just put dwds suggestion in it
-
Wiktor
👍️
-
pep.
That golang issue is missing the transport agnostic use-case, which is not inexistant. (even if that's what's mostly criticized of OTR in the XMPP community)
-
Wiktor
yeah, I was just annoyed at taking XMPP as an example of OTR being successfully deployed
-
jonas’
I still use and prefer OTR over OMEMO
-
Zash
I'm sure OTR is still in use in some circles
-
Wiktor
I don't mind their work, it would be completely stupid if I dictated how they should spend their time :)
-
Zash
Like those serrvers that mandate OTR
-
Wiktor
jonas’, why? genuinely curious
-
MattJ
Me too
-
jonas’
Wiktor, mine and my wife’s primary 1:1 client doesn’t support OMEMO in any usable way (i.e. without compiling some modules which aren’t even working)
-
jonas’
while OTR was painless to install and to use -- except with Conversations, but *that* issue has resolved itself nicely.
-
Wiktor
jonas’, what's that client that your wife is using?
-
jonas’
pidgin
-
Wiktor
got it
-
jonas’
in the past because multi-protocol, and now because "used to it"
-
jonas’
and why change a running system
-
jonas’
in a single-client setup, it’s very much "good enough"
-
jonas’
especially when you’re still from the age of ICQ, so you know that a sudden reconnect causes lost messages and you need to negotiate that in-band
-
Wiktor
no probs with that, I understand legacy solutions, heck, I'm still using some ;)
-
jonas’
I personally still use pidgin to keep the pain levels high enough to motivate me to work on my own client side stuff
-
Wiktor
haha, good idea 👍️