Kopete OTR leaks unencrypted messages

Bug #787990 reported by tdn
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
KDE Network
New
Medium
kdenetwork (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: kopete

I use Kopete with the OTR (Off the Record) plugin enabled.
OTR is a cryptographic protocol that provides strong encryption for instant messaging conversations. The primary motivation behind the protocol was providing deniability for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing.

I have set OTR policy to Always and so has the other part I am communicating with. We both use Kubuntu 11.04 (but this was a problem in earlier versions as well).

Even though we have set OTR to be used always, OTR leaks clear text messages. This is extremely troublesome, since the purpose of the software is to keep messages confidential.

This happens often with the first message sent/received in a conversation, but also (seemingly) randomly during conversations.

Steps to reproduce:
1: On computer A, start Kopete with OTR enabled on a Jabber account. Set OTR policy to Always.
2: On computer B, start Kopete with OTR enabled on a Jabber account. Set OTR policy to Always.
3: From A, start a conversation with person on B.
4: Notice warnings on the receiving chat window like this:
(10:38:26) #
The following message received from <email address hidden> was not encrypted: [HELLO]

5: On the sending chat window:
(10:45:16) #
OTR Error: You sent encrypted data to <email address hidden>, who wasn't expecting it.

(10:45:17) #
OTR connection refreshed successfully.

(10:45:17) #
The last message to <email address hidden> was resent.

This only happens sometimes. I am not sure what exactly triggers this, but it is a big problem.

One case that does seem to trigger it is if A starts chat with B, then B closes Kopete while A keeps chat window open. B then starts kopete and writes to A. This will often result in B's message being sent unencrypted.

Revision history for this message
In , Thomasdn (thomasdn) wrote :

Version: SVN (using Devel)
OS: Linux

I use Kopete with the OTR (Off the Record) plugin enabled.
 OTR is a cryptographic protocol that provides strong encryption for instant messaging conversations. The primary motivation behind the protocol was providing deniability for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing.

I have set OTR policy to Always and so has the other part I am communicating with. We both use Kubuntu 11.04 (but this was a problem in earlier versions as well).

Even though we have set OTR to be used always, OTR leaks clear text messages. This is extremely troublesome, since the purpose of the software is to keep messages confidential.

This happens often with the first message sent/received in a conversation, but also (seemingly) randomly during conversations.

Steps to reproduce:
 1: On computer A, start Kopete with OTR enabled on a Jabber account. Set OTR policy to Always.
 2: On computer B, start Kopete with OTR enabled on a Jabber account. Set OTR policy to Always.
 3: From A, start a conversation with person on B.
 4: Notice warnings on the receiving chat window like this:
 (10:38:26) #
 The following message received from <email address hidden> was not encrypted: [HELLO]

5: On the sending chat window:
 (10:45:16) #
 OTR Error: You sent encrypted data to <email address hidden>, who wasn't expecting it.

(10:45:17) #
 OTR connection refreshed successfully.

(10:45:17) #
 The last message to <email address hidden> was resent.

This only happens sometimes. I am not sure what exactly triggers this, but it is a big problem.

One case that does seem to trigger it is if A starts chat with B, then B closes Kopete while A keeps chat window open. B then starts kopete and writes to A. This will often result in B's message being sent unencrypted.

Reproducible: Didn't try

affects: kopete (Ubuntu) → kdenetwork (Ubuntu)
visibility: private → public
Changed in kdenetwork (Ubuntu):
status: New → Confirmed
Changed in kdenetwork:
importance: Unknown → Medium
status: Unknown → New
Revision history for this message
Christian Iversen (chrivers) wrote :

I have seen this problem as well, and it is really quite worrisome, as this is _exactly_ what OTR is design to prevent. It happens even when my encryption policy is "always", in which case OTR should never, ever send an unencrypted transmission.

Revision history for this message
In , Christian Iversen (chrivers) wrote :

Yes, I'm seeing this as well!

It is really quite worrisome, as this is _exactly_ what OTR is design to prevent. It happens even when my encryption policy is "always", in which case OTR should never, ever send an unencrypted transmission.

Revision history for this message
In , Francois-gerin (francois-gerin) wrote :

Confirmed on my side too... Much later on, with kopete 1.6.60 / debian jessie.

Due to the craziness of this security issue, and since it seems very old while not even beging flagged as confirmed, I must remove kopete from my applications, sorry.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.