Better Pidgin OTR security
|Type of work:||Code|
We need to only allow OTR protocol v2 and later, to circumvent the protocol version negotiation attack described in Finite-State Security Analysis of OTR Version 2 ... until the protocol + libotr themselves are fixed.
This is fixed in 4.0.0 beta 1 (commit 7ffba65f).
Let's wait for Tails to be based on Wheezy, as the bug will fixed through a Wheezy point-release in libotr 3.2.1-1+deb7u1 (Debian bug 725779).