Version: (using KDE 4.1.2) OS: Linux Installed from: Ubuntu Packages After having established an OTR session Kopete keeps using the session keys even after a user goes offline. If one now sends offline messages to this user he or she will not be able to decrypt the message since the previous session key is no longer available. A solution would be to terminate the OTR session automatically when the other party goes offline and hasn't terminated the session. For now the user has to remember to end the session manually through Tools>OTR Settings>End OTR Session. I used the "Opportunistic" setting and this happens between two Kopete clients. Adium seems to terminate the session before going offline so no action is required by Kopete.
I agree, the advise "...has ended the OTR session. You should do the same." seems inane anyway, the program should simply do this for the user, instead of asking him to.
(In reply to comment #1) > I agree, the advise "...has ended the OTR session. You should do the same." > seems inane anyway, the program should simply do this for the user, instead of > asking him to. > No... The program should _never_ terminate an OTR session on its own. This would result in a high security risk. Immagine, you were typing something secret during an encrypted session. Just before you hit enter to send, the other side closes the OTR session. If the program would automatically end the session locally, your secret text would be sent out in plaintext over the network. Thats not what you want, do you?
(In reply to comment #0) > A solution would be to terminate the OTR session automatically when the other > party goes offline and hasn't terminated the session. For now the user has to > remember to end the session manually through Tools>OTR Settings>End OTR > Session. I used the "Opportunistic" setting and this happens between two Kopete > clients. Adium seems to terminate the session before going offline so no action > is required by Kopete. > As the previous comment says, terminating a session automatically results in a security risk. The only situation when a session can be terminated, is when kopete is closed. Just the way Adium does it. Unfortunately it is not that straight-forward as it might sound to determine the still active OTR sessions upon close in Kopete. Anyways, I am aware of this issue and will try to find a solution.
Actually, I never looked at the problem that way and you make a perfectly valid point. But could there be a more straightforward approach than navigating through "Tools", "OTR Settings", "End OTR session" every time some of my buddies go offline? File transfers are now presented with a button right in the chat window and something similar could probably be done with the advise to close the private session.
(In reply to comment #4) > Actually, I never looked at the problem that way and you make a perfectly valid > point. But could there be a more straightforward approach than navigating > through "Tools", "OTR Settings", "End OTR session" every time some of my > buddies go offline? File transfers are now presented with a button right in the > chat window and something similar could probably be done with the advise to > close the private session. > There should be an icon for OTR in the toolbar that makes it easier... Make sure the "Chat Toolbar" is enabled.
I think that x if my kopete automatically terminates the session when a contact X goes offline x it is easy then for someone to login X again without encryption x then quickly send enough messages wich will put out of my screen the kopete notice of "ended session" x if i am not right aware of every message that i received in that laptime, i could sadly answer to the last messages with information i didn't wanted to make public. (particularly in the case of Comment #4 where he doesn't use the toolbar icon) I prefer pursuing sending encrypted messages wich will be lost if i don't want to. Another solution would be to open a popup when the contacts goes offline and the session terminate. That popup would prevent from writing/sending message until it is closed.
The whole conversation is not really related to the bug reported here. When a user goes offline, kopete should act as if the user ended the OTR session, even if the other client did not do so. Whether there should be a message advising to end the OTR session (which I am in favor of), or the OTR session is terminated automatically is another issue.
I just upgraded to 4.2.2 and now when I sent a message once a user is offline Kopete reports: "Your message was not sent. Either end your private conversation, or restart it." So, works for me now. Mark as fixed?
*** Bug 227020 has been marked as a duplicate of this bug. ***
As Kopete doesn't discard your message any more if the other end terminated the session and automatically refreshes the session if the other end lost the session I'm closing this bug. There is no better solution for this issue without introducing a severe security issue.