Using the OTR plugin with Pidgin for verifying GPG public key fingerprints

Robert J. Hansen rjh at
Sat Mar 13 08:30:11 CET 2010

> I'm a little confused as to how does that make it any different from using the Pidgin OTR method.

It's a question of degree, not kind.

> I simply open up an OTR session, ask my friend a question the answer to which is secret (only known to him)

How do you know the secret is known only to him?  Most "secrets" really aren't; a good investigator can discover an awful lot of "secret" information about someone.  Shared-secret authentication is one of the weakest forms out there.  It's better than nothing, but it's not something that ought be relied upon.  People tend to vastly overestimate how secret their secrets are.

As an example, a few years ago I saw in a spy novel (set in the modern day) two protagonists negotiating a phone number over an insecure line.  "Hey, that guy we know who did X?  Take his phone number, subtract this number from it.  The resulting phone number is what you need to call."  

It sounds great and reliable: it's a shared secret.  The problem is it's totally bogus.  Phone numbers aren't random.  In the United States, for instance, phone numbers follow the NPA-NXX format.  That reduces this question down to a glorified Sudoku: a skilled investigator could figure it out in just a few minutes.

More information about the Gnupg-users mailing list