#835 closed defect (fixed)

an attacker can spoof color codes

Reported by: pesco Owned by: pesco
Priority: major Milestone:
Component: OTR Version: 3.0.3
Keywords: Cc: wilmer
IRC client+version: Client-independent Operating System: Public server
OS version/distro:


even though the encryption/trust state of OTR connections is announced explicitly, an attacker might trick a careless user by including the appropriate color codes in his messages in-band.


a) let the otr plugin strip all color codes from all messages, even and specifically unencrypted ones. NOTE: this option is only viable as long as we don't support yet other ways to color messages, e.g. HTML <font> tags or something.

b) like a) but only do the stripping when otr_color_encrypted is set; possibly change the default setting to false.

c) remove otr message coloring.

subject to the NOTE above, i guess i'd vote for option a), since mIRC color codes are hardly a feature one relies on to be supported on IM connections. i would be content with b) and c) as well, though. wilmer, please advise!

Attachments (0)

Change History (2)

comment:1 Changed at 2012-01-29T22:22:49Z by anonymous

Don't you think it's enough that you'll get a message like "-user(user@…)- conversation is now off the record (trusted)" when you start an otr encrypted conversation? You should never rely on the design of something.

comment:2 Changed at 2015-08-11T06:52:39Z by dx

Resolution: fixed
Status: newclosed

Fixed in

Went with method a, and the laziest possible way of stripping messages, replacing '\x03' with '?' in-place. It's effective enough.

Modify Ticket

as closed The owner will remain pesco.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.