?

Log in

No account? Create an account

Empathy and OTR - Journal of Omnifarious

Aug. 31st, 2009

02:23 pm - Empathy and OTR

Previous Entry Share Next Entry

Empathy has been starting to make it into Linux distributions as the default IM client. I think this is a mistake at this juncture, and this bug about Empathy not supporting OTR is one of the larger reasons why.

Another reason why is that Empathy seems to be connected with several different libraries and there is no clear sense as to what functionality lives where. It appears to be something of a spaghetti mess of libraries. I mostly figured this out because of repeated calls to 'code it or shut up' in response to the bug I posted.

One of my responses was good enough that someone else felt the need to cross-post a link to it in the Launchpad bug about lack of OTR support in Empathy.

I will cross-post it here:

(In reply to comment #15)

You seem strangely interested in security... provided by (by your own words) a broken security layer? Do you really think that providing broken security, and lulling people into false sense of security is better than providing no "security" at all?

OTR's brokenness is due to the fact that it is a hacky kludge on top of existing IM protocols, not because it has any security flaws. It's inelegant and ugly, but it works.

I'm all for an elegant solution. But I don't think it should take a backseat to interoperability. I know that the various IM protocols are also mostly a bunch of ugly kludges as well. But that doesn't stop them from being implemented.

And to others. I am not a Telepathy developer... but seriously guys, flaming developers while not being ready to get yourselves on the line? If you find it useful and especially if you find it critical, do it yourself. Otherwise, feel free to keep using Pidgin until you get this critical feature, which Thilo considers broken by design.

I think there's room for other improvements before encryption, because I, and many other home users, find it unnecessary. Encryption is not important for majority of people on this world.

I am worried because Empathy appears to be getting a huge userbase and being used as the default IM client for a number of distributions without having a feature I think is incredibly important and should've been built in at the start, almost especially because most users don't really care about it.

Most people will not care about encryption. Most people also do not care about ACID database semantics. But anybody who made a database lacking the latter feature (i.e. Microsoft Access) would be roundly and justly flamed. Especially if they managed to somehow get that database into general use.

There are a whole host of features that users do not care about but are critical pieces of infrastructure. One of the things that most pleases me about Adium is that the developers understood and so many of my friends who have no clue or desire for encryption end up using it anyway because they use Adium.

If other clients provide you security, use those. Or use email+GPG for even more security. Filing a request is fine. Posting a comment supporting the request is fine. Attacking people like some of you did is not fine.

Email encryption is nearly a lost cause. But with Adium and a couple of other popular IM clients supporting OTR, widespread IM encryption was beginning to happen. I don't think activists in Iran should have to worry about which IM client their friends are using in order to avoid being snooped on. I don't think their choice of IM client should be able to be used to single them out for special treatment by their government. All new IM clients should just do the right thing out of the box.

Widespread support for good encryption is not something I care about because I am especially paranoid about my own IM conversations. It's because I care about the pernicious effects of all IM conversations being potentially public knowledge.

Someone else goes on later to suggest that Empathy support some horrible idea like TLS over XMPP. Which, in addition to being an awful idea for any number of reasons, also fails to address the issue of support for any protocol aside from XMPP.

In order for encryption to be useful in a communications system, everybody has to be able to use it whether they want it or not. It should be a first-class feature designed in from the very beginning, not tacked on as an afterthought (something that OTR in pidgin fails at) and certainly not treated as unimportant because only a few really want it.

Current Location: 2237 NW 62nd ST, 98107
Current Mood: [mood icon] annoyed

Comments:

From:rosencrantz319
Date:September 1st, 2009 03:05 pm (UTC)
(Link)
(Reply) (Thread)
From:(Anonymous)
Date:October 26th, 2009 08:27 pm (UTC)

Empathy sucks.

(Link)
And several distros are using it as default im client. empathys irc "plugin" sucks so bad i want to cry. apt-get remove empathy && apt-get install pidgin pidgin-otr for full win factor
(Reply) (Parent) (Thread)
From:(Anonymous)
Date:March 5th, 2010 01:53 am (UTC)

Encryption important for commercial use

(Link)
If IM is being used to discuss or transfer info about things that are covered by NDA contracts, or just sensitive business info, or subject to privacy laws, encryption may be considered a "reasonable measure" (as specified by contract) to keep the info private.
I.e. it is negligent not to use it.
(Reply) (Thread)
[User Picture]
From:eode
Date:October 19th, 2010 01:59 pm (UTC)

Thanks

(Link)
..this is probably the best collection of points and is, I think, the most reasonable stance on those points that I've seen posted. Thanks.
(Reply) (Thread)
From:(Anonymous)
Date:May 16th, 2012 09:20 am (UTC)

Agree

(Link)
Why Ubuntu chose empathy I do not know. But I refuse to use it because it lacks OTR support. I thought I was probably an oddball for this viewpoint, but I see *lots* of people are complaining about it.

And I agree that SSL is not the answer. SSL as implemented in many IM clients provides no authentication whatsoever. It also has no plausible deniability. The Empathy devs are acting as if OTR has no purpose and that SSL is the same thing. It's not!

One of these days people will wake up and realize just how important encryption is. Most people just don't understand that every single bit of data that is sent over the Internet is being stored somewhere (whether it is at Google or at NSA).
(Reply) (Parent) (Thread)