Closed Bug 1536104 Opened 6 years ago Closed 5 years ago

OTR: Allow the user to disable logging of encrypted conversations.

Categories

(Chat Core :: Security: OTR, enhancement)

Product:
Chat Core
Component:
Security: OTR
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(thunderbird68 fixed, thunderbird69 fixed)

Status:
RESOLVED FIXED
Milestone:
Instantbird 69
Tracking Flags:
Tracking Status
thunderbird68 --- fixed
thunderbird69 --- fixed

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(2 files, 4 obsolete files)

Bug 1536104 - OTR: Allow the user to disable logging of encrypted conversations. r=clokep
47 bytes, text/x-phabricator-request
Details | Review
1536104-final.patch
9.11 KB, patch
KaiE
: review+
jorgk-bmo
: approval-comm-beta+
Details | Diff | Splinter Review

By default, Thunderbird records chat conversations on disk, and they can be reviewed at a later time using the "previous conversation" view.

We need to decide, if OTR messages shall be recorded on disk, too, or if they should be excluded. Potentially, it might be useful to offer a preference to switch the recording on and off. If we do, we must decide what the default should be.

OTR means "off-the-record", so it might be reasonable to exclude OTR messages from being recorded by default.

See also: https://github.com/arlolra/ctypes-otr/issues/49

Summary: Clarify default for recording OTR conversations → Clarify default for recording/logging OTR conversations

For the large masses, having the logs is probably quite ok. If we want to use otr by default when possible, not having logs could annoy a lot of users.

Maybe logs should be recorded by default, but there could be a per-conversation UI element (button?) to easily remove that conversation when it's over? Also maybe a hidden pref to always remove logs for conversations when they end. This would cover an activist panic-button scenario.

I'm OK with "log by default", given that we target a large set of users, and given that we don't require OTR by default.

I agree we should have a pref for disabling logging of encrypted OTR conversations.

Once you have written it to disk, a forensics analysis can probably recover it from disk. (Probably with a much higher likelyhood than based on temporary files created and things in RAM.)

If the pref is set, instead of removing logs after the conversation ended, I'd prefer not to log them at all. (The computer might crash, then you don't have a change to remove it.)

The conversation can be shown on screen during the active conversation (even if we skip logging to disk).

Let's use this bug to implement the pref, and the code to support it. Changing summary.

I suggest we add another checkbox to the existing account specific OTR prefs.

Assignee: nobody → kaie
Summary: Clarify default for recording/logging OTR conversations → OTR: Allow the user to disable logging of encrypted conversations.
Attached patch 1536104-v1.patch (obsolete) — Splinter Review

The difficult part is, how do we disable logging?

I'm attaching an initial patch, which seems to work, and which disables logging for active encrypted conversations. (I'll work on the pref, and UI for the pref, in the next patch iteration.)

This patch uses the least of amount of changes I could come up with.

(I had investigated other approaches, but they seemed more complicated, and required more changes. Ideally, we'd attach an attribute "disable Logging" to each received and sent OTR message. However, the message objects don't seem to survive through the entire processing. E.g., the "new-text" notification seems to be decoupled from the initial object. It would probably be necessary to pass attributes from the initial message along, while they are being processed by individual chat protocol's code, and include attributes when calling the writeMessage function. There's risk that an implementation might skip that. I think it's better if the code to disable logging doesn't require changes to the individual chat transport code.)

Attached patch 1536104-v2.patch (obsolete) — Splinter Review

includes pref UI

Attachment #9067731 - Attachment is obsolete: true
Attached patch 1536104-v3.patch (obsolete) — Splinter Review

lint

Attachment #9067780 - Attachment is obsolete: true
Attached patch demo-nolog.patch (obsolete) — Splinter Review

just a test

Attachment #9069945 - Attachment is obsolete: true
Attachment #9067965 - Attachment is obsolete: true

Florian, could you please review the updated patch in phab? TIA

Flags: needinfo?(florian)

Florian, let me reply to your comment here, because I'm not sure if you get notifications in phab.

You said about the OTRDefaults module:

This JS module seems pointless. I'm not sure if you created it this way because you have plans for something in the future, but looking at what's present in the current patch, this would be better done with default preference values.

Is it possible to use "default preference values" for "per account" preferences? If yes, do you know how I'd define that?

I added the OTRDefaults module, because I didn't know how to define default values for per-account preferences. I need to query the preference from both inside the OTR module, and also from other chat code. I'd like to avoid hardcoding the pref value in multiple places, that might be confusing. Another alternative is to embed the default values inside the OTR code, and have the other chat code import the OTR.jsm module, if you prefer that.

(In reply to Kai Engert (:kaie:) from comment #11)

Is it possible to use "default preference values" for "per account" preferences?

These don't seem to be per-account defaults, they seem to have the same value globally.
So I'm just saying OTRDefaults.allowMsgLog() can be replaced with Services.prefs.getBoolPref("chat.otrAllowMsgLog") and the default can be stored around https://searchfox.org/comm-central/rev/cfdeb6eb89f7ed5939701dbcace185b20b96accf/mail/app/profile/all-thunderbird.js#717

Flags: needinfo?(florian)

Florian, thanks, I changed the patch as you suggested, new patch in phab.

Flags: needinfo?(florian)

Updated again

Attachment #9072517 - Flags: review+
Keywords: checkin-needed
Comment on attachment 9072517 [details] [diff] [review] 1536104-final.patch Needed for OTR feature
Attachment #9072517 - Flags: approval-comm-beta?

FYI, I have tested this patch on comm-beta.

I had tested earlier revisions with comm-central, but cannot test it with latest comm-central, because of bug 1559790

Flags: needinfo?(florian)

Yes, you can ;-)

Attachment #9072517 - Flags: approval-comm-beta? → approval-comm-beta+

Thanks Jörg! Works in comm-central.

Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/809b8d802ea7
OTR: Allow the user to disable logging of encrypted conversations. r=florian

Status: NEW → RESOLVED
Closed: 5 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → Instantbird 69
Component: General → Security: OTR
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: