Open Bug 1596194 Opened 6 years ago Updated 3 years ago

OTR: Confusing behavior when both sides send different verification requests to each other

Categories

(Chat Core :: Security: OTR, defect)

Product:
Chat Core
Component:
Security: OTR
Type:
defect

Tracking

(Not tracked)

People

(Reporter: KaiE, Unassigned, NeedInfo)

Details

A and B start an OTR chat. Both get "unverified".

Both want to go to verified. But they don't coordinate. Instead, each side just starts on their own, clicking the verify request, and wait for the other side to respond.

We reproduced this with A sending a "question/answer" request, and B sending a "shared secret" request.

Depending on the order of events:

  • the dialog which the slower side is trying to fill out simply disappears
  • the yellow bar shows "error while verifying"
  • one side might simply sit there and wait for an event to happen, forever

In addition, after a canceled verification, the dropdown menu item to "verify" (item 3) remains grayed out, although it should be allowed to start another verification request.

Expected behavior:
Both sides should detect if there's a concurrent request coming in.
If there is an outgoing request pending, and another request is coming in, then both sides should detect that, and handle it gracefully.
But how?

It's not as easy as "the request that was sent first should win", because if timing is tight, each side might believe that their own request was the first one.

We should check the OTR specification if it defines the behavior for this scenario.

Flags: needinfo?(kaie)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.