Title: Time to sunset OTR
Date: 2020-08-06 16:30

Off-the-Record ([OTR]( https://otr.cypherpunks.ca/ )) Messaging is an amazing
cryptographic protocol granting neat properties to your conversations:
encryption, authentication, deniability as well as perfect forward secrecy. It
was created by [Nikita Borisov]( https://en.wikipedia.org/wiki/Nikita_Borisov),
[Eric Brewer]( https://en.wikipedia.org/wiki/Eric_Brewer_(scientist)) and
[Ian Goldberg]( https://en.wikipedia.org/wiki/Ian_Goldberg ), around
[2004](https://otr.cypherpunks.ca/otr-wpes.pdf), with a [version 2](
https://otr.cypherpunks.ca/Protocol-v2-3.1.0.html ) in 2005, and a [v3](
https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html ) in 2012.

I've written an [article in French]({filename}/crypto/otr.md) about its inner
working and properties. If you don't want to take this opportunity to learn to
read French, but are still interested in learning more about OTR, you should
check [this slide deck]( https://otr.cypherpunks.ca/otr-wpes-present.pdf ).  It
was an amazing cryptographic construction at the time.

Unfortunately, the hardcoded modulus it use is the
[1536-bit MODP Group]( https://www.ietf.org/rfc/rfc3526.txt ),
which isn't safe [according to today's standards](https://keylength.com/en/compare/),
and attacks against it are believed to be both
[practical]( https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf ),
and [practised]( https://en.wikipedia.org/wiki/Bullrun_(decryption_program) ).
Moreover it's using 1024-bit DSA keys for signatures, which are also
[dangerously low]( https://www.keylength.com/en/compare/1024-bit ).  This means
that the effective security level of OTRv3 [is around 80bits](
https://en.wikipedia.org/wiki/Key_size#Asymmetric_algorithm_key_lengths ) for
signatures, and [~90 bits]( https://www.keylength.com/en/7/ ) for the key
exchange, which are now way too small to be comfortable. Also, since OTR is
using a fixed group, this computation only has to be done once,
[Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)) style.

Nowadays, while we're all waiting on
[OTRv4]( https://bugs.otr.im/otrv4/otrv4 ) to be completed and deployed, I would
recommend using the [Signal protocol](
https://en.wikipedia.org/wiki/Signal_Protocol ), inspired by OTR but improved
in every way: stronger crypto, asynchronous messages, post-compromise security,
group chats, … if you're using XMPP, you can also use
[OMEMO]( https://en.wikipedia.org/wiki/OMEMO ) as well.