Bug #1546
SECURITY: fingerprints are cached
| Status: | Closed | Start date: | 07/01/2013 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | devrandom | % Done: | 0% | |
| Category: | - | |||
| Target version: | v12 - March Mantra | |||
| Component: | OTR |
Description
This may allow an attacker to show as verified if they OTR-refresh an in-progress conversation with the real peer.
Fix: always use fingerprint from session.
Associated revisions
Use actual remote fingerprint rather than cached one
fixes #1546
History
#1 Updated by devrandom over 4 years ago
Reviewing this again, it looks like my first analysis was incorrect.
OtrChatManager.sessionStatusChanged always saves the public key, which always recalculated and saves the fingerprint. Therefore the original implementation did not have the security issue in the description.
#2 Updated by n8fr8 over 4 years ago
- Target version changed from v12 - March Mantra to v13 - October Oooya
#3 Updated by devrandom over 4 years ago
- Status changed from In Progress to Resolved
- Target version changed from v13 - October Oooya to v12 - March Mantra
Moving to v12, since I believe this is resolved (wasn't an issue in the first place). Needs testing.
#4 Updated by n8fr8 about 4 years ago
- Status changed from Resolved to Closed