Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Bug In Libotr Opens Users of ChatSecure, Adium, Pidgin To Compromise (helpnetsecurity.com)

Posted by timothy on from the knowing-is-half-the-aaaaauuuuggghhh dept.

An anonymous reader writes with a report at HelpNet Security that A vulnerability in "libotr," the C code implementation of the Off-the-Record (OTR) protocol that is used in many secure instant messengers such as ChatSecure, Pidgin, Adium and Kopete, could be exploited by attackers to crash an app using libotr or execute remote code on the user's machine.

9 of 25 comments (clear)

  1. Curious by campuscodi · · Score: 1, Interesting

    Does anyone still use these?

    1. Re:Curious by Anonymous Coward · · Score: 1

      Enlighten me, what should one be using to chat securely these days?

    2. Re:Curious by Wowsers · · Score: 2

      Sneakernet.

      --
      Take Nobody's Word For It.
    3. Re:Curious by Dutch+Gun · · Score: 2

      Enlighten me, what should one be using to chat securely these days?

      I'd probably use Threema, as it has a trust-no-one model in which the most secure level (of the three available) requires personally exchanging keys with the target recipient. The company is also based in Switzerland, which, sadly, makes it a hell of a lot more secure by default than any US-based company, as we're quickly finding out with this pending Apple / FBI case.

      That being said, I *don't* actually need secure chat, so I just use SMS or e-mail, which should be considered about as secure as a postcard.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:Curious by shione · · Score: 2

      I like telegram ( https://telegram.org/ ) . It gets a 7 on EFF ( https://www.eff.org/node/83766 ) and has clients on android/ios/windows/mac/linux and even on winblows phone that nobody uses

    5. Re:Curious by thegoldenear · · Score: 2

      Moxie Marlinspike - 'A Crypto Challenge For The Telegram Developers':
      http://thoughtcrime.org/blog/t...

      Pete Boyd

    6. Re:Curious by KGIII · · Score: 1

      qTox.

      https://tox.chat/clients.html

      I do use a Windows phone, by the way. A /.er recommended it so I tried it and I'm pretty happy. I don't use Windows on my computer but I kind of like it on my phone. Contrary to popular opinion - there are apps available. There just aren't a few hundred thousand repeats of the same apps. I do everything that I can possibly want to do on my phone. I'm pretty happy with it and it's really quite snappy even though it's not as powerful as some of the other phones that I've owned.

      At any rate, there are a bunch of clients for Tox. There is not one for Windows phone. It's end-to-end encrypted, it's decentralized, it's basically all the features that one probably wants such as video, groups, conference, text, voice (of course), and all that stuff. It's not bad. I've played with it a few times. It's not resource intensive even though it's encrypted. I dare say it's pretty good, actually. I'm not sure that I really need a chat client or anything but it's installed and I've used it a few times. It's still (seemingly) a worthy project.

      Here are the FAQs:
      https://tox.chat/faq.html

      I am not associated in any way with the project unless one counts donating to the project.

      --
      "So long and thanks for all the fish."
    7. Re:Curious by shione · · Score: 1

      Yea, sorry it's a 6. typo :)

    8. Re:Curious by shione · · Score: 1

      Thats interesting. I notice it is from a few years back. I take it the developers of telegram ignored them about it?