Conversations: Clarification on OTR functionality in Legacy Conversations

I don't think the protocol actually specifies how to do verification. If
you are under any sort of risk I can only advise not to use OTR. It has
been removed for a reason.

I think that's false.

From https://otr.cypherpunks.ca/index.php#faqs

Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:
[...]
Authentication
You are assured the correspondent is who you think it is.

From https://otr.cypherpunks.ca/Protocol-v3-4.1.1.html

The general idea is that Alice and Bob do an unauthenticated Diffie-Hellman (D-H) key exchange to set up an encrypted channel, and then do mutual authentication inside that channel.

From https://otr.cypherpunks.ca/help/authenticate.php

You should authenticate a buddy the very first time that you talk to them using OTR. If you don't, then you can't really be sure that someone else isn't impersonating them or trying to listen in on your conversation. However, once you've authenticated your buddy once, you don't have to do it again. OTR will automatically do the authentication for all of your future conversations with that buddy.
The only exceptions occur when your buddy switches between multiple computers or multiple IM accounts. In this case, you will need to authenticate once for each computer and account. Once you've done this, your buddy can freely use any of the computers you've authenticated them on, and OTR will recognize them automatically. If your buddy uses a new computer or account that OTR does not recognize, a message will pop up in your conversation window telling you about it.

The fact you are apparently unaware of this is very troubling, indeed.

Didn't Conversations already have this?

That was also my impression, but the author is indicating he did not properly implement such a mechanism. So it remains unanswered, whether OTR in Conversations ever vulnerable to a MITM due to no actual verification. The fact that I can't get a straight answer to this question is really disappointing.

I’m not sure whats not to understand if I say that Conversations didn’t do any sort of verification.

Are you purposefully being facetious? Conversation prompted to verify OTR participants' identities, exactly like @licaon-kter showed in the screenshot, either through Q&A or by manually verifying fingerprints. So what I don't understand is why you keep saying there's no verification - was the aforementioned functionality not effectual, or do you mean something else entirely by "verification"?

I receive a warning about "OMEMO fingerprint blindly trusted" or something similar, but not when setting up OTR (yet). It would seem to me that the OMEMO implementation is the one that's dangerous, not OTR. I'm using 1.23.8

@jesse-git Settings-Expert-Disable BTBV

Read about BTBV here: https://gultsch.de/trust.html

Thank you for that explanation and for preserving the "classic" behavior as an option. I, for one, am the type of user who wants to verify keys if at all possible and am willing to spend the extra couple of minutes doing it.

Yeah I also noticed that at some point the default became to blindly trust instead of verifying keys. I thought it very strange at the time (and still do) in such a security/privacy focused app.

Whenever I turn new people on to Conversations and XMPP I always explain what MitM attacks are and why it's important to verify keys. And then we do it together. It only takes a few moments.

Incidentally, I also noticed that the barcode scanner finally works to do this, making it even easier!

So why do you made OTR available in the 1st place if you now admit that it wasn't correctly implemented, knowingly? What you saying is that everyone who used OTR in conversations was betrayed by fake security from the start.
Conversations isn't trustworthy cause of its developer.