Reading over some of the specifications - I really like this approach - I think this is probably the closest I have seen to a truly distributed approach to IM at the protocol layer.
If anyone would like to try the chat interface my address is ricochet:qn6uo4cmsrfv4kzq
What is compromised is the disconnect from a real persona. There are times where you would like everyone to know they are talking to you, but no one to know who you are talking to, or what is being said. It's like publicly listing a pubkey that is linked to your real identity. You want people to have confidence in who they are talking to, sometimes. This is a valuable chat client even if you publicly announce an address. I'm likely to set one up myself, and announce it, if I like the platform, but I haven't really read into it yet.
Of course, if the Tor connection is live, and you are doing anything at all illegal on that connection, your endpoint is now linked to your real identity, so you are not quite as protected as you could be. If you're keeping a chat client like this live, you need to be careful how else you use the connection.
so it's not like blockchain where if you know the realid of addresses you can follow where the coins go.
from first glance i was curious about this aspect. if a connection exists, the end points are known or unknown? if they are known and there is a db of endpoints to realids then these know endpoints are no longer anonymous...
i get that the content is unknowable due to encryption - that's fine. the endpoint identification though, seems pretty cool if this is truly anonymous.
There is no realid. When you are chatting with someone through Richoet you are connecting to a Tor hidden service that is running on their system. Tor goes to great lengths to hide the true identify of both the client and the service when your using hidden services.
i've obviously misread what a TOR hidden service is then (and how connection are established between two end points), will go read again later.
my current understanding is even though an IP Address might not be connected to me personally, all the routers in between me and the destination server know that my IP wants to connect to dest IP . Thus there was some communication between my IP & dest IP at some time, and is in a log if routers keep logs (or any other device that is physically connected to the same physical path that my packets took)
Sounds like TOR hidden services don't create breadcrumbs like this then.
Hm true, although everybody knows the identity, nobody can peek into the chats.
Good point.
That would then allow for generating addresses from speaking aliases, so we don't have to remember GUIDs.
Wondering what the current base for the address is, hopefully just some random number persisted on the computer.
Tbh I2P would be a more suitable platform to build a messenger similar platform to Ricochet, in fact there was an effort to get exactly that up and running called Invisible.im, but that later merged with Ricochet to avoid duplication.
But as I2P is the ideal network, I2P-Messenger is far from the ideal client. Most of the code is a mess of if else statements and there are no other features than being able to chat 1on1 with another I2P-Messenger instance.
It is, I believe, still used, but the lack of development is certainly a concern. I believe it's every bit as common to create disposable accounts on other chat clients and just enable OTR[0] for whatever protocol you use. Traffic is typically still routed through Tor, and since the account is disposable, you shouldn't need to worry about it being linked to you. Only true concern is that the protocol you pick might not be running on a hidden server, so the records of that server could be subpoenaed. However, for example, you can pick hidden xmpp services, which means you only have to trust that the service itself is being run by entities who have no reason to compromise your endpoint or manipulate your chat experience. It means you have to be on the same server as the person you're looking to contact, and it means that you need a way of establishing the identity of the person you're trying to talk to. OTR does this by having secret questions and answers, which have to match at least the first time you talk to someone. I would personally combine this with PGP key verification, if the person has a known public key. It's easy to see someone type in the answer to the secret question, or even guess it if the person doesn't think far enough ahead to make that unlikely, but (hopefully) much more difficult to grab the person's private key and passphrase.
Tox connects directly over P2P though, so unlike this it exposes your IP address to everyone on your friends list (possibly even everyone in the world - I haven't looked too closely at how it announces addresses), and allows a passive adversary to easily see who you're talking to and when.
Also Tox over Tor needs to use Exit nodes to access the bootstrap servers, as there currently isn't any native support for hidden service address resolution.
This makes the same mistake as Tox, unsafe native code. These kinds of projects need the same level of detail and provable correctness that goes into space or nuclear control systems.
Far from having comparable resources to billion dollar space and nuclear corporations, FOSS developers often have no funding at all and work entirely in our spare time, for free. Any attempt to accomplish "provably correct" code with the same attention to detail that goes into space or nuclear systems would kill a typical FOSS project before a single line of code ever got written.
This is likely true today but it's increasingly false. Massive efforts are already underway to develop tooling and methodology for this purpose. Once completed the applications developed with them will be significantly easier to produce. Also, since they're provably correct the "maintenance" metaphor is no longer applicable. What we need is provably correct code generation for the output of theorem provers like Coq. These tools generate a large portion of the proof automatically. Programs can be inferred directly from proofs using the Curry-Howard Correspondence. Interesting discussion here: http://www.mail-archive.com/sc-l@securecoding.org/msg01278.h...
> Also, since they're provably correct the "maintenance" metaphor is no longer applicable.
If you want your software to never change, then sure, a proof of correctness is enough. But I've yet to see a piece of software that is both relevant and never has to adapt to new requirements.
Agreed. When I said "maintenance" I was referring to the continuous post hoc work needed to uphold the original functionality as it encounters the full range of it's potential input.
One can start by not using insecure languages and practices. Using C/C++ for this application domain is a non-starter, now matter how many times one can trump the word free. Does the existence of a free but flawed product make the "secure chat" universe demonstrably better?
The level of blasé disregard for basic secure coding makes me think it is on purpose. More attention to security has been put into Postfix and OpenSSH than any of these encrypted but in no way provably secure chat systems.
> Using C/C++ for this application domain is a non-starter
What language would you use?
The requirements are that it be low-level enough that you can zero keys from memory and needs to be able to be ported to every major OS, including iOS and Android.
What I would use and languages that applicable aren't the same. I'd probably use OCaml. But almost anything is better than C/C++ for this domain. If the goal was to get as many programmers, with the widest distribution, Java 7 would be an excellent choice. RoboVM can compile to native for the platforms that don't have the required runtime. Others might use Rust, ATS or Idris. Hell, even Lua with a small C core (NACL, os calls, etc) would be better.
The red herring that gets trotted out is timing and side channel attacks, crypto itself can still be done in nacl. But everything else, GUI interaction, network interaction and parsing of external data should be done in a safe language.
The same argument has been said for Java (but turned out to have worse problems in practice), Ruby (where if you every wrote something in Rails you've been vulnerable halv a dozen times by now) and PHP (and any commentary here should be unnecessary).
Sure, all the obscure languages you mention which never had even one project with a fraction of the usage base of Apache or Postfix may have no known security problems, but that's not a something to boast about. If you really want these languages to succeed, build a project with the potential user base of Nginx or Linux. Just don't complain about other's language choices, especially not when those are well known and well understood ones.
Everybody and their cat knows that. It's also not a functional web browser yet, and doesn't have a measureable market share compared to Firefox and Chrome, which are C++. Let's compare CVEs when it's at least in the top three. But if it survives one day at cansecwest I would be thoroughly impressed.
I think you're conflating three issues. One is of course unsafe native code, which could at least in part be fixed by picking a different programming language (cough Rust) that has stronger guarantees. Another is correctness of the implementation with regard to the specification. That is a lot more difficult to verify, and understandably a very big security concern. Third is the security of of the specification itself, which might be easier to prove, but is still no simple feat.
Most professional cryptographers write code in C. And what is arguably the best crypto library (NaCl) is written in C. Look, safety is a great idea. Unfortunately, things like cryptography need to be fast if you expect people to use them, and it is impossible to get the fastest levels of performance without using a low level language and dropping to assembly when necessary.
This is untrue. Java is very fast once the JIT warms up. The biggest cost to java is the startup time, but for a long running application it's not really an issue.
In fact, Java can be faster than C for a long running application, because you avoid problems like memory fragmentation. Garbage collection can compact used objects into smaller sets of memory, improving cache utilization.
The parent comment said that they need to write it in C in order for it to be fast enough for people to use it, which is false.
As for timing attacks, it's very very hard to write sidechannel resistant code in any language, I don't believe Java is particularly harder. C/C++ is not as deterministic as you would think.
Crypto is a only a small part of a project like this. Crypto isn't where a messaging client is going to break. Most likely it will be in parsing data the network. There is no reason to use C for the entire application because NaCl is in C, even if everyone on the project is Daniel J. Bernstein.
Whoa. Am I right in thinking that the proper fix would be not to use the system() function in the first place, so that you don't have to guess the escaping rules of whatever shell the user happens to be using?
One non-fatal point but something to be aware of with this approach; the list of hidden service addresses isn't itself hidden, and these servers are easy to fingerprint. So it's trivial to discover the list of all Ricochet identities, and also know when they are online (so over time perhaps who is talking to who).
Also, Tor hidden services are not necessarily designed for the case of a single address coming online and offline repeatedly. I don't think there are specific known exploits for that case other than the timing issues, but the other thing that comes to mind is cycling through too many guard nodes over time.
This is a good point. The metadata about time online might well be enough to pinpoint who is talking to who, over a long enough time. One option to avoid this is to get rid of status indicators, though that is inelegant and means the message would have to sit on the server at least until it expired. I'm not too concerned with the messages sitting on the server, because if the message passes through the server, then they could be storing it either way, and I'm already trusting that they will do that responsibly. Well, at the very least, trusting them to do that responsibly as long as there is no algorithm for faster large prime factorization, and the message is unreadable to them anyway. Expiration timers could be deliberately very short, which would reduce server load. I would personally allow the expiration timer to be user-set, because I believe the average security conscious person is going to want the timer to be short, unless there is a reason for the message to hang around.
Of course, this doesn't completely address the issue. It would still be theoretically possible to check for connections to the server, and determine online/offline status just from whether the messages are going out immediately after being sent in. Even generating fake data might not be enough to completely reduce that theoretically possible to the realm of technically impossible. It's still a risk to keep in mind. You can also never truly rule out that the service itself is compromised by an entity who wants your (meta or otherwise) data. You're safest disposing of your identity regularly, to disconnect previous conversations from new ones, if you're concerned about metadata analysis, which is considerably less elegant of a solution.
Of course, if your identity is anonymous, you don't truly have to worry about the metadata analysis, unless the person on the other end is compromised by a malicious agent, and knows details about you that could deanonymize you....
I can see a fairly simple extension assuming a friend-of-a-friend style forwarding. It would be that much slower than one-on-one and participants have to remain online for the chat not to experience splits.
As soon as the thing needs to work with participants joining/leaving at will you'd need some kind of supernode or hidden server and that's a vulnerability.
Distributed databases have solved both the problem of splits, and requiring a fixed master server. MongoDB for example has a master node, but if this leaves the other nodes will elect a new one. All nodes accept queries and will sync up over time.
Sure, push notification needs a central server. But guys, we so badly need a mobile IM that meets similar security standards as this project. Do it, and the world will honor you.
Should the central server be the only missing component of a reliable, secure-paranoid, mobile IM system, I would be happy donating some dollars.
Soon I'll be resuming work on a privacy-conscious push server design, originally intended to enhance the poor user experience of the existing ChatSecure iOS client (OTR/XMPP/Tor).
The general idea is that you'd fetch tokens from the server that allow people to send pushes to you, then distribute them to trusted contacts over an secure channel. Contacts would then be able to send you pushes from any endpoint of choice. Somewhat less metadata than existing solutions, and an opportunity for client diversity.
Actually I myself cloned ChatSecure iOS, built it, and played it for a while. It's a nice app with elegant interface yet lacks push notification. If you plan to improve it, I would be happy to be a beta tester :-)
p.s.
So honest is this app to explicitly state that I need to keep it foreground to receive new message from XMPP server.
Does push "need" a central server? I connect to my IMAP server from K-9 Mail on my OnePlus One running Android using a Tor hidden service. And I have IMAP IDLE turned on, so a persistent connection is maintained. So as soon as an email arrives, it is pushed to my phone and I am notified. With no third party push service involved. And my phones battery still lasts about one and a half to two days.
What about Telegram? Seems to work well for me, and a key thing is it has a desktop client. The thing which annoys me about it though is by default it isn't client-to-client encrypted. When you create a "secret chat" which is fully encrypted, it doesn't work on all your devices.
Telegram's crypto is probably broken - they are using weird 90's and unproven crypto modes instead of normal stuff, and their "crypto challenge" is bogus, if you are to believe tptacek.
They also have attitude of "oh we are smart, you just don't get it", which is not the way anyone should think about cryptography.
I downloaded and ran your precompiled x86-64 binaries ..
It kept hanging with message
"May 25 11:52:06.000 [notice] While fetching directory info, no running dirservers known. Will try again later. (purpose 14)"
It is not usable too. Tried sending request to ricochet:qn6uo4cmsrfv4kzq
It refused to move beyond Request:Pending connection
If anyone would like to try the chat interface my address is ricochet:qn6uo4cmsrfv4kzq